Hospital breach highlights need for better reporting of leaks, says watchdog

Nova Scotia's privacy watchdog says the accessing of 707 patient records at Shelburne's Roseway Hospital remains one of the largest health-care information breaches in Canada five years later and highlights the need for mandatory reporting to her office of major leaks.

A proposed $1-million settlement is scheduled to be heard Thursday in Nova Scotia Supreme Court in Halifax as part of a class action lawsuit filed against the South West District Health Authority following the breach.

If approved, the settlement would compensate hundreds of patients whose personal records were inappropriately viewed by a hospital admissions clerk for more than a year.

• Hospital clerk's snooping could cost Nova Scotia taxpayers $1M

Catherine Tully, the province's information and privacy commissioner, said it's unfortunate "taxpayers will pay for these types of mistakes," but she was hopeful a settlement would encourage the strengthening of privacy protection programs.

Under Nova Scotia's Personal Health and Information Act, only minor breaches — where there's no potential for harm or embarrassment to the patient — must be reported to Tully's office.

Major breaches, such as the one at the Shelburne hospital, aren't required to be reported to the office. Only patients must be notified.

Preventing further breaches

Tully said it's important that the independent oversight office is alerted to serious breaches in order to get a handle on their scope, to detect patterns and to recommend strong education, training and prevention strategies.

In the Shelburne case, the clerk was caught snooping around patient files at a work computer by another employee in 2012. An audit of her work activity uncovered 707 patients whose private records had been looked at for more than a year. She was unauthorized to access most of the files and was fired.

A lot is at stake when medical information is leaked, especially in a small town like Shelburne, said Tully.

In addition to personal embarrassment, there could be a hit to reputation, a risk to employment, emotional harm and identity theft.

Complaints to police

She said mandatory reporting would also pave the way for her office to bring complaints forward to police.

• Former Alberta Children's hospital employee fined for breach of patient information
• Nurse charged for allegedly accessing patient information to obtain narcotics

Under provincial law, if someone is charged and convicted of wilfully gaining or attempting to gain access to health information in contravention of the act, they could be fined up to $10,000 or jailed for six months.

The RCMP said there was no investigation into the Roseway incident.

Not having mandatory alerts "is a significant weakness in our current access and privacy laws in Nova Scotia," said Tully. 

Act currently under review

CBC News contacted the Department of Health and Wellness about the commissioner's recommendation that reporting of major breaches be mandatory.

• Rouge Valley Health System privacy breaches lead to 19 charges
• Donna Colbourne fined in Western Health privacy breach

Spokesperson Andrew Preeper reiterated that all breaches must be reported to either the privacy commissioner or the patient.

"The legislation requires that [the Personal Health and Information Act] be reviewed after three years. This review is currently taking place," he said.

CBC News also asked the Internal Services Department about how much has been paid out in compensation for privacy leaks by public bodies.

A department spokesperson has been working on the request for two days and said additional time is required.