Ex-employee snooped on health records of 1,418 patients: report
Privacy commissioner outlines breach of Alberta Health Services data
EDMONTON Alberta may need new ways of preventing information in electronic health records from falling into the wrong hands, the province’s privacy commissioner says in a new report.
On Wednesday, the Office of the Information and Privacy Commissioner released a report concluding Alberta Health Services (AHS) failed to ensure privacy training and proper oversight of a former typist and medical secretary at a psychiatric hospital who improperly looked at the medical records of 1,418 patients over 12 years.
“The findings from this investigation suggest it is well past time to consider whether the current approach to safeguarding health information made available through Netcare, as implemented by AHS in co-operation with Alberta Health, is adequate,” information and privacy commissioner Jill Clayton wrote in a preamble to the report.
Clayton is now considering whether she should instigate a wider review of Alberta Netcare, an electronic medical record system that gives 48,946 health-care workers access to diagnoses, treatment, and medical images for patients’ physical and mental health.
Report author Chris Stinner, a manager of special projects and investigations with the privacy office, also concluded too much time had passed to pursue charges under the Health Information Act against the former AHS employee.
The two-year limit on laying charges has frustrated other victims of health record snooping.
In August 2015, AHS terminated the Alberta Hospital employee who broke the privacy rules. However, Stinner’s report said her co-workers reported her suspected misuse of the Netcare system four times to AHS managers in the 17 months before she lost her job.
The first three times, managers neglected to check Netcare data logs to see how the worker was using the system, Stinner said.
In its subsequent investigation, AHS found the employee looked at the health records of 1,418 patients unrelated to her work duties, and also viewed lists of 12,861 patients’ data, which included information such as their birth date, gender and city where they lived.
Stinner’s investigation found the employee had a second job contracting with a private business that provided medical billing services for doctor’s offices. There is evidence the employee did her contract work “more than once” while she was supposed to be doing her AHS job, the report said.
After AHS completed its investigation, it notified 12,848 people their health or other information had been improperly accessed.
The privacy office received complaints from 30 people affected by the breaches.
In a written statement, AHS said it appreciated the privacy office’s report, and has since made “significant progress” improving the organization’s privacy culture.
As of this month, 88.5 per cent of AHS employees have completed mandatory privacy and Health Information Act training, it said.
The privacy office’s report also said AHS added extra Netcare data access audits at Alberta Hospital.