Brandon Harder
Saskatoon StarPhoenix
Without legal authority, a nurse who worked at Saskatoon’s Jim Pattison Children’s Hospital snooped on the private medical records of 314 patients, according to a recent report.
The report, dated April 23 and signed by Saskatchewan Information and Privacy Commissioner Ronald J. Kruzeniski, states that a registered nurse (RN) who was employed in the maternity department accessed the records for reasons “unrelated to patient care.”
The RN is not named in the report, which simply refers to the individual as the “Snooper.”
The privacy breaches occurred between Aug. 23, 2021 and Dec. 14, 2021, according to information given to Kruzeniski’s office by the Saskatchewan Health Authority (SHA), which brought the situation to light proactively.
The records were accessed remotely using an SHA laptop when the RN was on a leave of absence, states the privacy commissioner’s report.
The SHA told Kruzeniski’s office that the unauthorized access involved 2,437 records.
“Some of the records accessed included sensitive personal health information,” the report states. “In relation to some patients, the information accessed also included sensitive demographic information such as the patient’s name, contact details, date of birth, hospital medical record number and health services card number.”
Further, six of the patients were co-workers of the RN and two of them, the report states, had “confidentiality flags on their files requiring the user to ‘break the glass’ or override the warning flag or screen to gain access.”
The report also notes the RN was interviewed but “could not explain why they looked at the patient records.”
“According to the SHA, the RN eventually admitted that they did not need to access the patient records and apologized for having done so,” states Kruzeniski’s report, adding that the RN’s employment was “terminated” by the SHA as part of measures to address the privacy breach.
According to the report, the SHA also notified the College of Registered Nurses of Saskatchewan about the breach. However, the report states that (as of the time of writing) “it appears that the Snooper’s license to work in the province is still in effect.”
The privacy breach was reported to Kruzeniski’s office on Aug. 16, 2024 and the 314 affected parties were notified Aug. 19, according to the report.
“This was approximately five and one-half months after the investigation was concluded and over two years after the breach was discovered,” the report states.
The privacy commissioner found that the SHA had taken reasonable steps to contain the privacy breach, and conducted an adequate investigation.
However, Kruzeniski found the notification of the affected parties “was not adequate and timely.” He also found that the SHA’s plan to prevent similar privacy breaches in the future was not adequate.
As well, he found that the SHA did not comply with Section 16 and Subsection 23(2) of the Health Information Protection Act (HIPA) insofar as it does not have in place an auditing policy regarding the access of certain health information systems.
The privacy commissioner’s report, which is available publicly online, contains a list of recommendations.
Some are aimed at preventing similar breaches in the future while others are directed toward providing more fulsome notification to affected parties.
His final recommendation is that the SHA: “forward their investigation files to the Ministry of Justice and Attorney General, Public Prosecution Division, to allow prosecutors to further consider whether an offence has occurred and if charges should be laid under HIPA or any other statute.”
The report contains some paragraphs in which the commissioner comments generally about snooping on personal information and health information, saying it has been an issue in Saskatchewan and elsewhere in Canada for “some time.”
While Kruzeniski writes that some progress appears to have been made in Saskatchewan toward protection of private information, he remains concerned.
“If people cannot trust their health care providers to protect their privacy, they may withhold or falsify information about their health. This, in turn, poses a substantial risk to the quality of the health care they may receive.” the report states.
“I cannot overstate how important it is for Saskatchewan’s trustees to make every reasonable effort to ensure that those who are tempted to snoop are not successful and that personal health information is protected.”
bharder@postmedia.com
