Snooping HSC employee committed hundreds of patient privacy violations ‘out of curiosity’: Shared Health

Hey there, time traveller!
This article was published 24/05/2024 (471 days ago), so information in it may no longer be current.

A Health Sciences Centre employee snooped through the medical records of about 360 patients, Shared Health announced Friday — the latest in a series of privacy breaches involving Manitoba health-care workers.

After interviewing the now-former clinical staff member, Shared Health believes the breach was “an instance of snooping out of curiosity,” rather than an attempt to share private information with a third party, a spokesperson wrote in an email.

Shared Health said the former employee accessed electronic records between August and March. Their position was not disclosed.

Christina Von Schindler, Shared Health’s chief privacy officer, said a “concern” was reported, which led to an audit of the employee’s activity in health record systems.

“Shared Health takes the safety and security of patients’ personal information very seriously, with a number of protocols in place to detect inappropriate access of private patient information,” Von Schindler said in a statement.

“It is deeply regrettable that patient privacy was breached. In this case, the protocols were effective, with the snooping detected, investigated and the individual responsible held accountable for their actions.”

The health authority, which oversees the HSC campus, did not make Von Schindler or any other official available for an interview.

In a statement, Von Schindler said Shared Health cannot disclose personal information, including discipline of employees. Shared Health would not say if the worker was fired.

Von Schindler said the person was not a regulated employee subject to a professional disciplinary body.

Ann Cavoukian, who was Ontario’s privacy commissioner from 1997 to 2014, said the breach is “unconscionable.”

“This is one of the most harmful breaches of privacy,” said Cavoukian. “Nothing could be more sensitive than your health information.”

Considerable harm can be done if the information falls into the wrong hands, she added.

“That’s always the fear,” said Cavoukian, executive director of the Toronto-based Global Privacy and Security by Design Centre.

Von Schindler said the audit confirmed no information was printed or copied, and there is no evidence information was shared.

Cavoukian called for transparency with respect to investigations or disciplinary action to send a clear message to the public.

Shared Health said letters were sent to affected patients this week to tell them about “unauthorized” access of their information.

Patients were invited to contact Shared Health’s privacy office. The letters explain how they can obtain a record of staff activity on their electronic health record.

The Personal Health Information Act required Shared Health to report the breach to Manitoba ombudsman Jill Perron.

Perron said her office is opening an investigation, which will review the circumstances and Shared Health’s response.

“Personal health information is widely considered to be one of the most sensitive types of information about individuals,” Perron wrote in an email.

“Manitobans trust that employees of health-care facilities will respect their privacy and only use their personal health information as authorized under the law. I cannot emphasize enough how serious and how wrong it is to be abusing that trust by intentionally violating someone’s privacy.”

Perron said affected patients have a right to make a complaint to the ombudsman’s office.

Unlike in other jurisdictions, Von Schindler said police generally are not notified, because “remedies” fall under the ombudsman’s authority.

Shared Health said all of its employees are required to complete mandatory training on how to appropriately use personal health information. It said the training is repeated every three years.

Each staff member must sign a pledge to abide by the PHIA and Shared Health policies on confidential data systems, the authority said.

“The vast majority of the health system employees understand and use their privileged access as intended,” said Von Schindler. “In the rare instance that a staff member abuses this privilege, despite training and awareness they are being audited, disciplinary action is taken.”

She said a vast majority of breaches are inadvertent. When a breach creates a risk of serious harm, the patient, ombudsman and, if applicable, the employee’s professional regulatory body are notified, she added.

In the last year, Shared Health has notified the ombudsman’s office of two breaches, including this one, said Von Schindler.

“Wilful breaches such as snooping are very rare,” she said.

Health Minister Uzoma Asagwara called the matter “an important lesson for the health-care system.”

“Personal health information is just that: personal,” Asagwara said in a statement. “And any inappropriate accessing of personal records is a serious breach of trust.”

The health minister’s remarks come less than a month after saying the government is open to exploring ways to strengthen health-care privacy legislation.

In April, a nurse was suspended for two weeks and fined $4,000, after she admitted to improperly viewing the records of 57 patients, according to a discipline report published by the College of Registered Nurses of Manitoba, which held a hearing into the matter.

Four other nurses were named in discipline reports going back to 2018 that detail up to 2,140 individual privacy breaches.

Winnipeg resident Daniel Hidalgo was notified by the Winnipeg Regional Health Authority in December, after an employee snooped on his medical records in an unrelated incident. He was told the activity was discovered during a routine audit.

Hidalgo repeated his call for more accountability and transparency, after learning of the breach at HSC.

“It certainly leaves you feeling unsupported, exposed and violated,” he said of his experience.

Hidalgo was left with questions about the adequacy of existing training or preventative measures, and whether sufficient consequences are always applied.

“I hope this stuff stops,” he said. “I hope folks in the position that they’re in respect (patients).”

In 2021, the ombudsman charged a privacy officer at a health-care facility with three counts of disclosing personal health information under the PHIA.

chris.kitching@freepress.mb.ca