Sask. Health Authority removes Estevan-area employee from duty after 880 privacy violations

Privacy commissioner Ron Kruzeniski recommended the employee be fired

Image | Computer closeup

Caption: There were 880 breaches between June 2010 and May 2017. The health authority said the employee is not working and they're considering their options, including terminating their employment. (Getty Images)

The Saskatchewan Information and Privacy Commissioner is recommending that the Saskatchewan Health Authority fire an employee who improperly accessed the private information of 880 people in the Estevan area.
A spokesperson for the SHA said in an email that the employee is not currently working and the Authority is reviewing its options, including terminating their employment.
The breaches were made using Procura, an electronic medical record system used throughout the province, between June 2010 and May 2017, according to Ron Kruzeniski's report on the matter.
Procura is also very thorough, containing information on people such as name, contact information, health services number, physician name, records of visits with physicians, consultation reports, investigation reports, diagnostic results, bills and correspondence.
The information was "need-to-know" and the employee did not need to know. Suspicions were raised when the employee discharged someone using Procura, which was not a function of their job.
The employee was interviewed by health region authorities and had their duties outlined, but went on to improperly access information two other times after the meetings, the ruling says.
Authorities were made aware of a possible breach that May. Everyone whose privacy had been breached was notified, except for the 266 people who had died.
Although there was no privacy officer working within the Sun County Health Region, as it was known before it was amalgamated into the SHA, Kruzeniski recommended that SHA develop a policy to ensure that a privacy officer is notified of a possible breach as soon as it is suspected.
He also recommended that the health authority notify his office of breaches sooner, as Kruzeniski's office was notified eight months after the breach was discovered.
Lastly, he recommended that the SHA refer the matter to the Ministry of Justice for possible legal action.