Reports of health-care privacy breaches spike in Alberta

Reports about privacy breaches in the health sector have ballooned in Alberta since new provincial regulations requiring mandatory reporting were put in place, according to the Office of the Information and Privacy Commissioner (OIPC).

 The commissioner is investigating 20 incidents and has flagged 70 more as potential offences.

 "[They're] more common than I think anyone in the health sector would like to admit," said Scott Sibbald, spokesperson for the OIPC.

The office announced this week that a former Alberta Health Services (AHS) clerk was charged and subsequently fined $8,000 for the unauthorized accessing of health records of 81 people on 471 occasions at the Michener Centre in Red Deer.

• AHS billing clerk fined $8,000 for illegally accessing health records

The OIPC has also been notified about a number of other recent breaches within AHS.

Those include the disappearance of an unencrypted hard drive containing the personal health information of 650 patients at the Mazankowski Alberta Heart Institute in August, and the inappropriate access of 2,158 electronic health records by Alberta Public Laboratories staff at the Red Deer Regional Hospital earlier this year.    

It has been mandatory to report such breaches to the privacy commissioner since Aug. 31, 2018, when the Alberta government brought in changes to the Health Information Act, which governs all health regulated health professionals.

Prior to the change, the OIPC would receive about 130 voluntary breach reports a year from both inside and outside AHS. In the first year after the new regulations came into effect, it was inundated with more than 1,000 reports.

According to Sibbald, most of the cases relate to simple problems — often the result of human error — such as a misdirected fax or email.

But the office is also dealing with increasingly complex breaches relating to inappropriate patient file access.

• Edmonton medical clinic employee fined after admitting to health data breaches
• Investigation finds improper access to patient records at Red Deer hospital
• Missing hard drive has health information of 650 heart patients, AHS says

"We are, of course, seeing more incidents that are a result of snooping. So that's authorized users of health record systems looking into health information that they don't need to for their job," he said.

The influx of reports is putting a strain on OIPC staff.

"Considering how resource intensive and time sensitive these types of investigations are to meet the threshold before the courts, it's really flooding the office at this time," Sibbald said.

Almost half of breaches from within AHS

During the first eight months after mandatory reporting came into effect, 40 to 45 per cent of the breaches flagged to the privacy commissioner came from within AHS.

We do take it very seriously," said Todd Gilchrist, an AHS vice- president.

"That unauthorized access is disappointing when it happens and is something that should not continue to happen."

According to Gilchrist, AHS officials are working to crack down on these kinds of privacy violations and are taking steps to educate staff through several new programs, including:

• A new privacy protection and information access policy (July 2018).
• "Infocare," which offers privacy and information security training to staff and provides "an easy way for the reporting of breaches and security incidents" (February 2019).
• Mandatory privacy training modules (June 2019).

Gilchrist says there is no software system in place right now to actively monitor for unauthorized access of electronic health records. Instead, random audits are conducted manually after a problem is flagged.

But Gilchrist says plans are in place to improve that when the first wave of Connect Care, a central access point for patient information, starts rolling out next month.

According to Gilchrist, the electronic information system will have intelligent software in place that actively monitors for breaches.

"This new smart auditing tool will allow us to have more defined levels of security clearance but then also — when it comes to auditing — it will no longer be the manual process. And the intelligent software will always be working  across the system as opposed to just targeting in and looking at specific access."

Reason to worry

There's reason to worry about these kinds of breaches, according to Tom Keenan, a digital security expert and University of Calgary professor.

While some incidents may be trivial, others could have more serious implications.

"It might be your most intimate personal information that gets out there, and also it might be used for nefarious purposes like blackmailing you or something like that," he said. 

"There's something special about our medical records. And we just don't want to think that they're not adequately protected."

For Keenan, the spike in breach reports comes as good news.

To him, it signals the new rules are pushing health organizations to take the problem of privacy violations more seriously.

"Let's hope that it's a lower number next year."