A limp and disappointing response
Health department continues to fumble the ball regarding security breach
Nothing to see here folks, move along, we have this under control.
That pretty much sums up Nova Scotia Health Minister Randy Delorey’s response to provincial Privacy Commissioner Catherine Tully, who reported in August the Health Department fumbled the ball repeatedly when dealing with a breach in the security of health records – a breach that exposed the private medical information of a number of Nova Scotians.
There is something to see here. The department entrusted with the medical records of every Nova Scotian didn’t detect the security lapse, didn’t adequately investigate to determine its extent, misinformed those Nova Scotians whose information was exposed and hasn’t admitted its failure, yet it still seems to believe it warrants Nova Scotians’ trust.
This wasn’t a major breach by volume, but it’s a serious event for the 50-or-so Nova Scotians whose medical information was inappropriately accessed.
The breach happened when a pharmacist, formerly employed by Sobeys, habitually snooped into the medical records of people with whom she had some personal association.
She wasn’t their pharmacist, so she had no business looking at the medical files, for example, of the driver of the other car in an accident she had, or of her kid’s teachers, or anyone else she wasn’t serving professionally.
The health minister’s response to Tully’s critical report is limp and disappointing. It sidesteps the department’s obvious failures in favour of statements about “continual process improvement” and other empty assurances.
The response must have been drafted in close quarters, where the staff didn’t notice, or at least they didn’t acknowledge the elephant in the room with them.
When the department reported the incident to the Privacy Commissioner – who the minister insists on referring to by her former, less authoritative title, Privacy Review Officer – back in December 2017, it claimed the investigation was complete, there was no malicious intent and the breach was contained. None of those claims was accurate, but it took the Commissioner to determine that.
Had Tully not embarked on an investigation of her own, this whole mess would be nothing more than an unsightly bulge under the carpet somewhere in the Health Department’s offices.
Tully found that the Health Department’s investigation was cursory, incomplete and compounded when the department misinformed the people whose records had been compromised.
The department inaccurately told those people it had uncovered the breach during its audit process. In fact, suspicions about the offending pharmacist came to the department’s attention from outside government. In addition, those people were not provided with any information that could have helped them limit the damage from the exposure they suffered.
The critical bit of information – the pharmacist had a relationship or association with each of them – was omitted from the government’s notice, which also downplayed the importance of the information that was accessed. The department and its minister haven’t learned much since Tully’s scathing report.
The response the minister signed assumes the familiar tone and tenor of a righteous bureaucracy, not a government department caught doing a shoddy job of cleaning up its own mess, which is exactly what it is.
When it was notifying the people whose information was breached, “. . . the Department also took the additional step of providing courtesy notification to the Privacy Review Officer,” the minister writes in his response.
The department wants the Privacy Commissioner (formerly known as the Privacy Review Officer) to know that she was notified as a courtesy – a courtesy that may not be extended in the future, so from now on Nova Scotians will have to trust that the department that botched this breach, won’t botch the next.
Tully wrote a serious report into inadequacies in the Health Department’s processes to protect medical records, and in its response when a breach of security occurs.
The department missed its deadline to respond, and when it finally did, it jotted off a quick defense of business-as-usual and thanked Tully for her recommendations, which the department treated like suggestions.
The message was unstated but clear. The government will get better at its job when and how it decides to, not with the help or at the urging of some official whose title it refuses to get right.
“Had Privacy Commissioner Catherine Tully not embarked on an investigation of her own, this whole mess would be nothing more than an unsightly bulge under the carpet somewhere in the Health Department’s offices.”
Jim Vibert consulted or worked for five Nova Scotia governments. He now keeps a close and critical eye on provincial and regional powers.