New details on Inuvik hospital data breach revealed in Privacy Commissioner's annual report
Six employees inappropriately accessed patient records in 2016, one was terminated
Health information custodians in the N.W.T.'s public sector are still "far from compliant" with the Health Information Act, according to the territory's Information and Privacy Commissioner (IPC).
In her latest annual report, tabled Tuesday in the legislative assembly, Elaine Keenan-Bengts says that even though there has been some progress on the development of system‐wide standards, policies and procedures, there is still "much work" to be done.
The N.W.T. Health Information Act came into effect in October 2015, and is meant to govern how personal health information is collected and disclosed.
In the period between April 1, 2016 and March 31, 2017, The IPC's office opened eight files under the Health Information Act, including three breach notifications. One was received from the Beaufort‐Delta Health and Social Services Authority (BDHSSA), involving the inappropriate access of patient records at the Inuvik Regional Hospital.
In May 2016, the hospital sent letters to 67 patients, informing them their health records had been compromised. The BDHSSA received 46 recommendations from external investigators as a result of the incident.
The breaches came to light when a patient, surprised to have a clerk visiting him/her with information on his health, complained to the CEO of the hospital.
An internal investigation showed that "the clerk in question had accessed the inpatient bed history many hundreds of times, mostly after 5:00 pm, during lunch breaks, coffee breaks and during walk‐in clinics."
The BDHSSA then conducted a wider investigation, finding that six staff members had "very likely been breaching patient privacy on a regular or semi‐regular basis."
Keenan-Bengts' report stated a "culture of inappropriately accessing patient information" existed within the clinic. One staff member was terminated, while others were "suspended with pay for a period of time."
Full-time privacy officer for each region recommended
Keenan-Bengts' report said that the snooping was limited to the Inuvik clinic, but she proposed territory-wide recommendations, including the creation of a full-time position of Privacy Officer in each N.W.T. region.
She also said that the MediPatient system, which is used by several territorial health and social services authorities, should be "reconfigured or changed" so it can protect people's information better.
In her recommendations, Keenan-Bengts says the system should be configured "so as to send up clear on‐screen warnings when a user is accessing or attempting to access information beyond that which they have been given access."
Keenan-Bengts believes that the MediPatient system "does not have the functionality to ensure that the rights granted to individuals under the Act are capable of being met.
"None of the electronic medical record keeping systems in use in the Northwest Territories, at least at the government level, have the capacity to mask either parts or the whole of an individual's record," the report reads.