Records breach reviewed
Privacy commissioner finds Health P.E.I. response to unauthorized hospital employee accessing patient files was reasonable
Health P.E.I.’s response to a privacy breach involving patient health records was reasonable, but steps could have been taken to prevent it, says P.E.I.’s privacy commissioner.
In a report released in December, privacy commissioner Karen Rose reviewed the unauthorized access of electronic health records for 353 people, which she referred to as “snooping.” Rose found Health P.E.I. had reasonable practices to prevent snooping, but the access credentials for the employee responsible should have been changed prior to the breach because of a change in her responsibilities.
The report said the employee, who is not identified, previously worked as a licensed practical nurse until the province changed the education qualifications in 2014.
When the employee didn’t meet the new requirements, they continued to work as a personal care worker, which is a position that has a different level of access to the health record system than an LPN.
Health P.E.I. found the scope of the employee’s access wasn’t changed to reflect the new role.
In the employee’s case, they worked providing constant care, which didn’t require them to access health records. Random audits are done to look for unauthorized access to patient files. The breaches were discovered after a nurse manager at the hospital, who was reviewing an audit of a patient’s electronic medical record, noticed the employee had accessed the records. That nurse manager knew the employee wasn’t one of the patient’s caregivers and didn’t expect someone in their role to need to access personal information in the electronic records system. The nurse requested an audit, which found the employee accessed personal health information of multiple patients and some hospital staff.
That audit led to further investigation and the eventual discovery that the employee still had access at the LPN level, despite the change in their role. An expanded audit going back to 2014 found the employee accessed personal health information of 353 patients when there was no reason for them to.
Health P.E.I. notified the affected parties in 2017 within 10 days of discovering the unauthorized access and issued a news release to ensure the public was aware of the breach. Some of that access involved modifying charts, including adding information related to vital signs, dietary orders and activities of daily living, but Rose said there was no evidence of malicious altering.
Rose said the audits didn’t indicate the employee changed or printed any personal health information.
Health P.E.I. revoked the employee’s access to patient information and cancelled all of their scheduled shifts once it was determined they accessed the system without authorization.
In her report, Rose said the employee admitted to accessing the files, but didn’t provide an explanation.
Rose said the evidence supported the conclusion the employee had various reasons for accessing the files, including to continue performing LPN tasks and to choose the more preferable patients to work with.
Other reasons in Rose’s report included looking up room numbers of people in the hospital and simple curiosity.
Rose found Health P.E.I. took reasonable efforts to notify the affected people and to contain the breach.
She also found the health agency had reasonable practices in place to prevent unauthorized people from accessing personal health information.
But Rose noted that in this case a technical safeguard wasn’t put to use, and no one requested to have the scope of the employee’s access changed.
“Health P.E.I.’s failure to implement a technical safeguard put additional personal health information at risk,” Rose said.
In her report, Rose made four recommendations, including that Health P.E.I. move forward with proposed changes to its auditing program and ensure management has adequate training in how to detect snooping. Rose also recommended Health P.E.I. review its standards for automatically logging people out of the health records system to determine what is appropriate.