Breach hits 1,300 health files
Violations lasted 11 years
A former employee of Alberta Hospital Edmonton inappropriately accessed the records of more than 1,300 patients, Alberta Health Services announced Monday in what is believed to be the province’s largest deliberate breach of health information.
“In terms of a unique individual inappropriately accessing health care records, it is not within the scope of something we have seen before,” Dr. Francois Belanger, AHS’s interim vice-president of quality and chief medical officer, said Monday.
The violations of the Netcare electronic health information system occurred over more than 11 years from January 2004 to July 2015, stopping only when the health authority received a tip from the employee’s co-worker.
The tip triggered a lengthy audit of the employee’s use of Netcare.
But that was complicated by the fact that the employee’s job description required him or her to frequently look up patient records.
Investigators had to separate legitimate use of the system from instances of improper access, Belanger said. In the end, AHS determined 1,309 Albertans had their health information breached, all of whom are due to receive a letter in the mail this week notifying them of the violation.
AHS is also sending letters to 11,539 others whose basic demographic information — name, date of birth, address and health number — was exposed to the employee.
As an example, AHS said an employee searching for the medical records of a specific John Smith might be presented with a list of all the John Smiths in the system. The list would display demographic information, such as addresses, which could then be used to find the right person.
Belanger said AHS has determined none of the accessed records was altered or printed.
“And we don’t believe the information was sent to anybody. We think this individual acted on the basis of personal curiosity,” he said. “It was a very extensive review that we have done.”
A special phone line has been set up for the affected patients, who will receive information about the service in their letters. Help will also be provided to those wanting a full audit log of all accesses to their Netcare records, AHS said.
The health authority said the affected records belong to patients all over the province, not just the Edmonton zone.
The fact the employee worked at a facility specializing in mental health has the potential to increase public concerns, since such illnesses still carry a societal stigma.
However, Belanger said it’s believed the vast majority of breaches were of patients from other parts of the health system, not Alberta Hospital Edmonton.
AHS declined to provide any details about the employee, except to say he or she was no longer working for the health authority.
The case was reported to the Office of the Information and Privacy Commissioner, which is still in the midst of its own investigation. The commissioner has the power to recommend the Crown file charges under the Health Information Act.
Charges for health information violations have been laid seven times in the last 10 years, all of which involved much smaller numbers of patients. Four of those cases resulted in convictions, while three cases remain unresolved.
In the fall of 2013, an unencrypted laptop containing information on 620,000 patients of Medicentres Canada was stolen, though there is no evidence that data was inappropriately used.
The announcement of the privacy violations comes as the province ramps up efforts to increase the use and sharing of electronic health records, a move touted to make life easier for patients and health staff.
Asked if the breaches might undermine public confidence in the plan, Belanger said records are far better protected in an electronic system rather than “having a bunch of paper being passed around.”
He said AHS has boosted its efforts
The large majority of our staff are very diligent about protecting the privacy of our patients.
in recent years to ensure health workers are aware of information and privacy rules.
Monitoring and auditing of electronic health systems are done, but the health authority relies more on education, legislation and policy.
“We take this very seriously,” he said. “The large majority of our staff are very diligent about protecting the privacy of our patients.”