Watchdog blasts SHA over new privacy breach
Patient information faxed by mistake to computer store for fourth time
Darryl Arnold would have unplugged his fax machine months ago if he didn’t need it for work.
That’s because the Saskatchewan Health Authority keeps faxing him confidential patient information, most recently a five-page catheterization report that included a patient’s personal information, medical history and treatment recommendations.
According to the provincial privacy czar, the business Arnold coowns — Kelly’s Computer Works in North Battleford — has received faxes of confidential medical records on at least four occasions over the last two years, most recently on March 12.
“Obviously, the lack of privacy worries me, but more importantly, what concerns me is most of these faxes are coming from an outbound organization … that’s providing results to the doctor that needs to see them,” Arnold said.
“And if they’re getting faxed to me, the doctor that needs to see them isn’t seeing them.”
At one point he offered to sell the fax number to the SHA, but the authority ultimately declined, he said.
In his latest probe of the faxes, Privacy Commissioner Ron Kruzeniski noted that the cause is always the same: “Employees incorrectly inputting the (physician’s) fax number,” which is one digit removed from the computer store’s number.
Kruzeniski went on to raise red flags about the SHA’S response to the latest breach, which involved asking Arnold to delete the fax.
That was not simple because the faxes are routed through two separate email services, which Kruzeniski said raises concerns about residual backup copies and the general risk of moving personal health information through a webmail server.
“It is the responsibility of the SHA to get this issue addressed once and for all. It cannot expect a private business to continue to clean up its errors,” Kruzeniski said in the report, which notes that the webmail issues had not previously been disclosed.
In an emailed statement, SHA spokeswoman Amanda Purcell said “as with any breach” the faxes were investigated internally and reported to Kruzeniski’s office. The patients involved were notified in writing, Purcell added.
“We are reviewing the privacy commissioner’s report, and have already begun to implement recommendations. Our first steps have included providing education to staff, as well as working with the specific clinic involved.”
The health authority is also working with various health-care organizations on a project led by ehealth Saskatchewan to promote electronic transmission with the aim of eliminating the need to fax personal health information, Purcell said.
In his report, Kruzeniski said his office has been advised that “the SHA was working on a project to eliminate faxing of personal health information within the health system (but) the timeline for implementation has not been established.”
Earlier this year, Kruzeniski proposed a timeline of six to 12 months to implement that plan. In October, his office learned the SHA considers that timeline “unrealistic considering the complexity of changing workflows and systems,” the report states.
“I am concerned with the timeline being undefined given that this has been an ongoing issue,” the commissioner wrote in the report. He recommended the SHA provide the project timeline within the next six months.
Arnold said he’s optimistic because several months have passed since he has had to use his contact in the SHA’S privacy department to report another fax filled with confidential medical information.
“I kind of hold my breath though because it’s only a matter of time normally.”