Privacy commissioner finds doctors breached Broncos records
REGINA — Saskatchewan’s privacy commissioner has found several people inappropriately gained access to the electronic health records of the Humboldt Broncos team members involved in a deadly bus crash last April.
Sixteen people were killed and 13 were injured in the crash between the junior hockey team’s bus and a semi trailer at a rural Saskatchewan intersection on April 6, 2018.
“This has been a major tragedy in our province and I’m disappointed that people got tempted,” information and privacy commissioner Ronald Kruzeniski said in an interview with The Canadian Press on Monday. “Now that it’s happened ... it’s my job to work with others through education and legislative change (to) make the system work.”
In four reports posted on his website, Kruzeniski noted that eHealth Saskatchewan began monitoring the profiles of the patients — which included lab results, medication information and chronic diseases — three days after the crash.
From April 9, 2018, to May 15, 2018, the health agency detected at least seven users, mostly doctors, accessed the system to view the profiles of up to 10 patients.
The reports said that eHealth reported the breaches to the privacy commissioner.
Kruzeniski detailed the privacy breaches in those reports.
In one case, an employee of a medical clinic examined the health information of three people involved in the collision.
The assistant admitted she consulted the records because “her family members had heard one of the individuals had died and she wanted to verify the information; she thought another individual was a patient ... (and) she wanted to verify a detail that was reported by the media about one of the individuals.”
The report said the employee’s access to eHealth was suspended and she was given further training, but she has since resigned.
Another case involved a doctor at a Humboldt clinic who viewed the records of two people who were patients prior to the crash.
“Dr. D wanted to know what injuries the individual sustained, if the individual received care or if it was an instant fatality,” said the report. “For the other individual, Humboldt clinic explained to eHealth that Dr. D was concerned. Based on these explanations, Dr. D did not have a needto-know.”
Other breaches included three doctors who provided emergency care at the Nipawin Hospital and who reviewed patient records of those they treated.
“They believed they were in the individuals’ ‘circle of care,’” said the report.
The privacy commissioner said the province’s Health Information Protection Act does not address circles of care so the doctors were no longer authorized to access the records.
“You are entitled to access when you have a need to know, not an anticipated need, not,
‘Gee, I might like to know,’” he explained. During the monitoring period, two medical residents also looked at the records of one crash patient when the residents were reviewing the records of dozens of other patients with a particular illness.
Kruzeniski made a number of recommendations to eHealth — including that it conduct regular monthly audits for the next three years of the physicians involved.
The privacy commissioner also recommended that the organization comply with a need-to-know principle rather than a circle-ofcare concept and that users of eHealth be made to regularly review their training.