Health information for more than five million individuals spanning several years was improperly released in June, 2012, Health Minister Margaret MacDiarmid said today.

It was one of three breaches discovered as government officials looked at tens of thousands of computer records going back several years, including databases, email files and storage devices as part of an investigation announced in September, MacDiarmid said.

The investigation has so far led to the firing of seven people and the stoppage of several drug research contracts. There are still many details that can't be divulged, but the government needed to make the public aware of the breaches, she said.

The contractor who received five million people's data on a USB drive was authorized to have it, but it was supposed to be encrypted and non-identifiable. "Instead the data that was received was not encrypted and it was personally identifiable," said MacDiarmid.

The plain text file included personal health numbers, gender, age group, length of hospital stays and amounts spent on the individuals' health care.

The second breach MacDiarmid discussed involved the data for 21,000 people. The data, shared on a USB drive, included information on 262 chronic diseases or conditions and the prescription drugs people received for them. The information was shared without a data request being approved, MacDiarmid said.

The third breach included health data for 38,000 individuals that was shared with a researcher in June, 2012, breaking an agreement the province had with Statistics Canada. The file had information from StatsCan's Canadian Community Health Survey, including details about people's health status, mental health, sexual health, physical health, lifestyle and use of health services.

The file also included personal health numbers, gender, dates of birth, postal codes, hospital admissions, hospital discharges, medication history and medical service plan claims.

The ministry is sending letters to the individuals whose information was included in the third breach, but not the other two, a response MacDiarmid said was consistent with advice from Information and Privacy Commissioner Elizabeth Denham.

"The investigation has been incredibly complex and it's ongoing," said MacDiarmid. "There is no evidence, we have not found any evidence, that any of this data has been used for anything other than health research."

In none of the instances were people's names, social insurance numbers or financial information released, she said. The information was in tables and was not people's medical files, she said.

She also noted the consulting firm Deloitte has been hired to review the ministry's information management procedures.

Denham launched her own investigation on Sept. 11, 2012 into the alleged data breaches at the health ministry. The OIPC investigation includes the instances the minister outlined today, "but also includes a broader review of the ministry's data-handling practices in relation to research," she said in a prepared statement.

"Our investigation will be complete in the coming weeks, and we will be issuing a public report with findings and recommendations," she said.

MacDiarmid said the researchers who received the data have been asked, either directly or through their lawyers, to return it.

Andrew MacLeod is The Tyee’s Legislative Bureau Chief in Victoria. Find him on Twitter or reach him here.