Royal Inland Hospital Data Breach (2013)

Royal Inland Hospital has advised 1,628 patients their privacy has been violated. Nancy Serwo, acting administrator at the hospital, said two boxes of records were returned to the hospital on June 16 after they were discovered in a filing cabinet the hospital had donated elsewhere last year. The best estimate of when the equipment was disposed of is last October, Serwo said, though she could not identify who received it. The letter sent to patients states no one asked for identification from the person who returned the boxes to the hospital, which has made it difficult to investigate the breach. Serwo would not identify where the cabinets had been used in the hospital, saying it was a specific, isolated area. However, KTW spoke with one of the letter recipients, who provided a copy of the letter. The woman, upset her medical privacy had been breached, requested her name not be published. Her letter said her file involved in the breach included a diagnostic polysomnogram test result. A polysomnogram is a sleep-disorder test. The woman said her first reaction, when she was handed the registered letter from RIH, was to wonder if they were going to tell me they had infected me with something, a concern that harkens back to a few years ago, when RIH patients received letters advising them of sterility issues during invasive procedures they had undergone. The mailman said all he knew is they were delivering hundreds of them all over the city, she said, adding she wants more assurance about who might have read her file, which included her name, date of birth, personal health number and other health information. I dont know who they gave it to. I dont know who might have rifled through it. Serwo said she took possession of the boxes on June 16 and was confident, after inspecting them, that they had not been read beyond identifying they were medical records and needed to be returned. But, Serwo added, she understands her confidence might not be enough to remove any worries from those 1,628 patients. Serwo said anyone who has additional questions or needs more information can call the IHA patient-care quality office in Kelowna at 1-877-442-2001, or send an email to patient.concerns@interiorhealth.ca. The woman who spoke to KTW also wondered how a cabinet full of files could have been moved without someone noticing it was not empty. Ive done it, she said. Theyre heavy. Serwo said she had no answer to that question, but added that last October, during a regular policy review, the relevant policy had been amended to clarify manages responsibilities when disposing of excess equipment. The letters spell out what could be called the worst-case scenario of identity theft and what people should do to ensure their information isnt used illegally. However, Serwo said, that is because the hospital wanted to exercise an abundance of caution. The measures it refers to include having an alert placed on their health number that would prompt confirmation of the cardholders identity when the card is used. A similar alert can be placed on patients credit ratings. In addition, patients were advised to review their bank and credit-card statements to ensure all transactions were valid. So, now I have to go back through a years worth of bank documents? the letter recipient asked. It is not a comfortable thing to know this happened. Serwo said the one-month time span between having the documents returned and advising patients of the privacy breach was due to Interior Health Authority policy that requires a review of what happened and to ensure appropriate action is taken to avoid a similar breach in the future. This was challenging given the circumstances involved in this case, IHA communications officer Michaela Swan said. While that was ongoing, staff reviewed the more than 1,700 documents involved to identify all patients who had information in the documents. After that step, staff had to manually search each patients records for their contact information and to verify their age. If they are under 18, parents or guardians needed to be contacted. For those under care, care providers had to be contacted. The IHA also had to determine if the patients are still alive. With the number of people involved, Swan said, the process took some time to complete.