Privacy commissioner wants health authority to fire employee
Saskatchewan’s Information and Privacy Commissioner is recommending the provincial health authority fire an employee of the former Sun Country Regional Authority who accessed the information of 880 home-care clients without a “need to know.”
Ronald Kruzeniski, in a report issued on April 30, also recommended the Saskatchewan Health Authority send its investigation file to the Ministry of Justice’s public prosecutions division to determine whether an offence occurred and whether charges should be laid under the Health Information Protection Act.
The employee’s name was not disclosed in Kruzeniski’s report.
The breaches date back to June 2010, according to an audit by Sun Country. It found an employee in the Estevan Home Care office accessed portions of electronic health records, including names, addresses, health card numbers, doctors’ names, records of visits with doctors, consultation reports, investigation reports, diagnostic results, bills and correspondence.
The breach, affecting clients in Estevan and surrounding area, was reported to Kruzeniski’s office on Nov. 8, 2017.
“Given the excessive number of affected individuals, I recommend the SHA terminate the employee,” Kruzeniski wrote.
Sun Country investigated the breach prior to reporting it to the Information and Privacy Commissioner’s office. It found that the employee accessed the information of co-workers, clients outside of the designated area, a relative and clients for which there was no “need to know.”
The health region’s management noticed that the employee discharged a patient in the database on April 4, 2017, which was outside of the function of their position. The home-care department then investigated the employee’s activities. Sun Country’s privacy officer was notified about the breach on May 29 and the employee’s access to the database was restricted two days later.
The internal investigation found that the employee continued to access information inappropriately after two meetings were held about the breach.
The employee told investigators other staff in the field and staff in other home-care areas asked for the information. The employee also claimed to have covered responsibilities of fellow employees who were away or when positions were not filled. The employee also claimed to be unaware the actions would be considered a privacy breach and said other staff may have accessed the database under the employee’s username.
The home-care managers disputed the employee’s claims, additionally saying that staff are trained to call supervisors for information when they’re in the field. The managers told investigators that the employee had to cover duties involving database entry, but that work was identified in the investigation and was not included in the breach of 880 individuals’ records.
The health region acknowledged it had granted the employee more access to the database than was required by the employee’s position.
Sun Country notified 614 of the 880 affected individuals about the breach. The remaining 266 were deceased.
In a prepared statement to The StarPhoenix, the SHA said it has since developed role-based permissions to the database to give users the “minimum access” required to perform their job duties. It said staff have also been trained on privacy and the “need to know.”
The SHA is reviewing the OIPC report, including the recommendations, the statement said. The employee is not currently on the job and doesn’t have access to electronic health records, spokesman Doug Dahl wrote.
“While this breach did not affect the health care of the clients, the Saskatchewan Health Authority understands that this breach of privacy is a violation of the trust placed in us by our patients, longterm care residents and community clients,” Dahl wrote.