Personal health data of My Recovery Plan users are vulnerable to US CLOUD Act
The Alberta government confirmed it is ending My Recovery Plan, the app that ostensibly tracked recovery progress & facility wait lists. However, the app is hosted by Amazon, placing users' personal health data at the mercy of the American Cloud Act.
"There's a lot of lawyers using AI to write legal documents, but we don't know where that information goes and how it's used in the AI, so that is technically a breach of lawyer-client privilege," Marshall Smith, then-chief of staff to the Alberta premier, cautioned the audience of Edmonton's 2024 Upper Bound AI Conference.
Smith then assured the crowd that "in the problems that I'm working on, we're going to contain it in a container right now – let it go wild within that container."
Smith did not tell his audience that the contents of this 'container' included the personal health data of perhaps thousands of people in Alberta in substance use recovery programs, obtained without informed consent. He was describing the Alberta government's use of these data in AI models to unlock the secrets of recovery, but as he spoke, Smith's 'container' was open to the American government. In its testimony to the French senate in July, Microsoft confirmed that the US CLOUD Act empowers the American government to seize data uploaded to Microsoft, Google, Amazon or other American tech company databases.
My Recovery Plan has been doing exactly that with its user data as shown in its privacy impact assessment, obtained by Drug Data Decoded through a 2024 freedom of information request. This appears to contravene Alberta's Health Information Act, which requires that custodians of health data take "reasonable steps" to "protect against any reasonably anticipated threat or hazard to the security or integrity of the health information."
The US CLOUD Act went into effect in 2018, while My Recovery Plan began collecting user data in Alberta in 2022.
The app, owned by Last Door Recovery Society, was purportedly launched in 2021 to track wait lists and participant progress at Alberta substance use recovery centres. After collecting personal health information of people entering recovery programs, it stores the user data on an Amazon AWS server in Montreal.
Microsoft told the French senate any server's location is irrelevant – American companies are expected to comply with their government's requests without the local government's permission.
Following up a recent scoop by Drug Data Decoded that was also reported by Global, CTV obtained confirmation from the Alberta government that My Recovery Plan is being decommissioned. This occurred at a press conference announcing the Calgary Recovery Community, which was quietly contracted to Last Door Recovery Society in early 2023, two months after sexual assault allegations broke against a former employee. Moments after fumbling his binder while CTV raised these allegations (eventually convictions), Minister of Mental Health and Addiction Rick Wilson revealed that "until the new app is developed, we'll carry on with the old one... and then [user data] will all be redacted from their system."
Wilson did not explain what he meant by "redacted" or whether it meant that user data would be deleted from My Recovery Plan and its Amazon server. This could be challenging in any case, as both are held in the private sector. He also did not provide a timeline, though previous reporting by Drug Data Decoded showed the app's decommissioning is scheduled to begin in 2026.
Euan Thomson
For users of the app, 2026 may be too late. According to Carlton University PhD candidate Alexander Rudolph, who writes the publication Canadian Cyber in Context, the data are vulnerable to the Cloud Act right now. "Regardless of where they are in the world, they are covered by the US CLOUD Act," he told Drug Data Decoded, "and this includes all [Amazon] AWS infrastructure."
On September 8, Drug Data Decoded asked the Ministry of Mental Health and Addiction and Last Door Recovery Society to confirm that My Recovery Plan is hosted on an Amazon server, to reveal how many users' data are currently in the database, and to explain how they will protect these data from the US government if needed. The ministry and Last Door did not respond.
US Supreme Court justices are warning that certain groups of people are "fair game to be seized at any time,” while the Trump administration places unsettling attention on people who use drugs through its July 24 executive order, "Ending Crime and Disorder on America's Streets." That order gave authorities essentially unlimited power to institutionalize people who use drugs, people who are unhoused, and people with mental health conditions, bypassing due process. The Alberta government's new Compassionate Intervention Act, passed into law in May, provides similar powers to authorities, health practitioners and families in the province.
The collapse of American rule of law led by its federal government places My Recovery Plan users under increasing surveillance and carceral dangers. Those who have uploaded personal information to My Recovery Plan, whether they consented to the app or not, have been rendered more vulnerable.
These dangers are a direct result of policy created by Alberta's Ministry of Mental Health and Addiction. In March, Drug Data Decoded reported that Recovery Alberta (formerly Alberta Health Services) pressured service providers to ensure that all clients upload their data to My Recovery Plan. Service providers who didn’t comply were threatened with funding cuts.
Federally, the Carney government is facilitating the perilous direction set by the US CLOUD Act through legislation including Bill C-2, which the Electronic Frontiers Foundation called a "Trojan horse for U.S. law enforcement — quietly building the pipes to ship Canadians’ private data straight to Washington." There is real danger in allowing Canadian or American authorities free access to see anyone's online accounts, such as an app that monitors recovery from substance use.
At the 2024 Upper Bound AI Conference, Marshall Smith appeared to signal this American infiltration. "We’re now having discussions with really significant tech companies," he said. "Many of them are involved in the intelligence industry, defence intelligence, et cetera. We’re not going to Staples to buy an off-the-shelf solution. We are talking to people who serve the CIA, the FBI, the NSA."
That tech companies involved with American intelligence agencies could be handling sensitive health information of people in Alberta, using AI that Marshall Smith admits is legally leaky, further demonstrates the Alberta government's lack of attention to data sovereignty around My Recovery Plan. The forfeiting of data sovereignty and other concerns led Indigenous recovery centres to refuse implementation of the app, as reported in APTN last October. As Dr. Esther Tailfeathers of Kainai Nation said at the time, My Recovery Plan implementation had taken a “unilateral and colonialistic approach” that was “basically the selling out of Indigenous communities to private companies.”
Danielle Paradis | Euan Thomson
Rudolph says protecting data sovereignty of people across Canada by treating it as a matter of national security suffers a lack of will at all levels of government, none of which "have made the investments to provide a strong, Canadian alternative" to data storage offered by American tech giants.
That the Alberta government is now abandoning My Recovery Plan to build its own tool indicates its concern about this vulnerability – after spending four years and millions of dollars developing the app.
“We want to have a fully accessible system where people can choose, you know, where they want to go based on good data,” Marshall Smith told the Alberta Recovery Summit in 2023. Months before resigning from his position in late 2024, he preached to the Upper Bounds AI Conference, "we are going to go to where we think the limits are, and then we're going to push fifty percent beyond that."
"We are engaged in big, big thinking."
With Smith's former ministry now abandoning that big thinking as unscientific at best, the public and media should ask where the fine details got lost. The next chance to do so is back at the Alberta Recovery Summit this month, organized by Last Door Recovery Society.
Documents used in this story:
If you have additional information related to My Recovery Plan, including suspected violations of the Health Information Act, please send materials to the Auditor General at info@oag.ab.ca. Additional information can be sent to info@drugdatadecoded.ca.
An early version of this story was shared with paid subscribers on September 9.
Drug Data Decoded provides analysis using news sources, publicly available data sets and freedom of information submissions, from which the author draws reasonable opinions. The author is not a journalist.
This content is not available for AI training. All rights reserved.
