Sask. privacy commissioner calls health authority's response to faxed data breaches inadequate

Saskatchewan's privacy commissioner is urging the provincial health authority to part ways with fax machines after investigating numerous privacy breaches involving the dated method of communication.

The commissioner's office has investigated approximately 42 incidents of misdirected faxes by the Saskatchewan Health Authority (SHA) since 2018.

The SHA did not adequately respond to two recent data breaches where staff sent private information to random recipients rather than the intended health-related professional, according to latest report on the issue from Saskatchewan's information and privacy commissioner Ron Kruzeniski.

Information was sent to the Town of Gravelbourg and the Parole Board of Canada, according to the investigative report from Kruzeniski, dated Nov. 28, 2022.

The privacy commissioner was notified of the data breaches because the organizations reported receiving the information his office.

After investigation, Kruzeniski determined that the SHA didn't do an adequate job of notifying the affected people, nor did it take adequate steps to prevent further breaches.

He also noted that, since January 2022, he has issued seven investigation reports involving misdirected faxes. Kruzeniski said the SHA does not report all errors to his office, so he doesn't know how many more breaches occurred.

"I have serious concerns about the privacy risks that arise from the ongoing use of faxes to send personal information and personal health information," he wrote.

He has previously recommended that the SHA proactively report all misdirected fax breaches to his office so they can track and report publicly on the progress of "SHA's efforts to address the privacy risks and bring some transparency and accountability to its work to address this problem." 

"SHA has stated that it does not agree with this recommendation." 

The 2 incidents 

The town of Gravelbourg notified the commissioner's office on June 15, 2022, that it had received information from the Maple Creek public health office.

The town reportedly destroyed the information and the commissioner's office commenced an investigation.

The SHA did not notify the person whose privacy was breached until the end of August. According to the report, the SHA stated it attempted to call the person before that, but had no luck.

"SHA should not have waited two months before mailing the written notice," Kruzeniski wrote. 

The Parole Board of Canada advised the commissioner's office it received a fax from the Royal University Hospital (RUH) containing personal health information on June 10, 2022. It too deleted the information, which originated from the genomics lab. 

RUH notified the affected person 11 days later. 

Kruzeniski took issue with the notice given, saying the SHA did "not include a description of the types of harm that may occur because of the privacy breaches and information about how the affected individuals could change their health services number."

He said this is critical because the person's date of birth and health services number were involved. 

The commissioner said he has been calling for the elimination of traditional faxes and for updates on the SHA's work to address the systemic faxing problem since Feb. 2, 2022.

Kruzeniski wrote that Canada's federal, provincial and territorial privacy commissioners and ombudspeople passed a resolution in September 2022 titled, "Securing Public Trust in Digital Healthcare."

It calls for the health-care sector to modernize and strengthen privacy when it comes to sharing personal information. This call to action includes phasing out the use of fax machines. 

"My hope is that SHA will heed this call to action," Kruzeniski wrote.

SHA did not immediately respond to CBC's request for comment.