Prince Albert Parkland Health Region Data Breach (2015)

An employee of the Prince Albert Parkland Health Region has been fired after 16 patients had their personal health information breached over the last year. An employee of the Prince Albert Parkland Health Region has been fired after 16 patients had their personal health information breached over the last year. Health region CEO Cecile Hunt says the employee was not involved in the patients care and has been dismissed. The motive for the snooping remains a mystery, Hunt said. We really could not begin to speculate on the reasons for the employee doing these things, Hunt said. We know that there was a privacy breach and we have dealt with those privacy breaches. Another employee alerted the health region to the breach on Dec. 14, prompting an investigation. Hunt called the probe lengthy and detailed, saying it showed that the employee had improperly accessed information through the provincial EHR Viewer, which is an electronic filing system for Saskatchewan health-care records. The improper viewings, which contravened the Health Information Protection Act of Saskatchewan, came between Jan. 10 and Dec. 9, 2014. Citing privacy issues, Hunt said she couldnt disclose the employees length of service, job or any other information. She did, however, say that reports had been filed with theemployees professional licensing body. Hunt was unable to comment on what, if anything, the employee did with the information that was gleaned from the records. About 3,300 physicians, pharmacists and nurse practitioners have access to the system across the province. Employees must log in with a personal password and a record is kept of every file they access. The patients who had their information looked at will be informed about the breach by letters that were mailed on Wednesday. As a result, its too soon for the health region to have heard back from anyone yet. Hunt did have a message for them. On behalf of the Prince Albert Parkland Health Region, I sincerely apologize to each of the affected patients, she said. Our organization and I are very serious about the protection of personal health information. Its a matter of utmost importance; its a matter of trust. She said the health region was releasing the information publically to be as transparent as possible. The information that was accessed included prescription and lab information. Well be happy to answer any questions that these patients might have, she said. And they will also have an opportunity to speak to the privacy commissioner if they so wish. Patients who are concerned about access to their information can request that it only be viewed with their authorization. The health region has taken a number of steps, aside from the firing, that it hopes will deal with the problem. The Office of the Saskatchewan Information and Privacy Commissioner, eHealth Saskatchewan (the agency responsible for the eHR Viewer) and the Saskatchewan Ministry of Health were informed. The Office of the Saskatchewan Information and Privacy Commissioner has also received a copy of the investigation report. The eHR Viewer program will have increased monitoring and auditing. Employees will receive additional information on the use of electronic health records and privacy laws. The EHR Viewer is a secure website developed to provide patient information to health-care providers regardless of where an individual seeks care. It includes information on laboratory tests, prescriptions, diagnostic imaging, immunization and clinical documentation. The EHR system is the melding together of a number of electronic elements that have existed in varying forms in the last several years. The province announced last week that the final major piece of the puzzle, diagnostic imaging, had just been added. Hunt said there have been reports of inappropriate comments on information in the past but this breach is well documented. The discipline is in line with similar information breaches elsewhere. In a report issued last November that looked into an information breach in Regina, the privacy commissioners office cited a similar event that was dealt with by the Prairie North Regional Health Authority. PNRHAs employee termination and the arbitration decision that upheld the termination is consistent with other arbitration decisions in other jurisdictions such as Ontario and British Columbia, the report said. In one case, the arbitrator stated that zero tolerance should be the norm and only in compelling cases should termination not be the result of unauthorized access. Asked if it was something that could happen again, Hunt answered by saying that the breach was not indicative of the behaviour of most health region staff. I think the vast majority takes their responsibilities very seriously, Hunt said. The audits that we will implement will hopefully provide some confidence to our patients that we take this trust very seriously and we will work hard to ensure that our employees realize that curiosity is not appropriate when dealing with electronic health records.