Island Health is reeling from another privacy breach. A Victoria-based support staff member misused access privileges to view the medical records of 34 patients, all from Vancouver island, because of “curiosity.”
The employee was fired.
Island Health president Dr. Brendan Carr apologized to patients and the public and expressed frustration with what he calls a “gross breach of patient, client and public trust.”
“We really do appreciate how important this is for people — for the people harmed by this and the public in terms of their general confidence in the system,” Carr said in an interview.
“So I would just like to say sorry.”
He said he’s also disappointed for the approximately 19,000 staff at Island Health and more across the province.
“They, too, feel this looks bad on them and doesn’t reflect their beliefs and the way that they work,” Carr said.
It’s the fourth privacy breach in two years, and brings the total number of patients affected to 383. The health authority is “actively” notifying the 34 patients whose files were breached.
“The final meeting with the employee was Thursday,” Carr said. “Our employees know it’s wrong to look at the private health information of patients when they have no legitimate reason to do so.”
The breach was discovered through a random audit.
“We are very rigorous about continually testing our database to look for patterns of interactions in patients’ charts,” Carr said.
The employee’s access to personal or confidential information was immediately revoked and the B.C. Office of the Information and Privacy Commissioner was notified.
The investigation’s scope went back to January 2015.
A probe determined the employee had repeatedly used the system’s general search function to look at basic patient information, including names, ages, demographics, the health facility used and reason for the visit.
Carr explained that if an emergency room doctor, as an example, searched for a patient’s name, the system would ask his job role and also whether he was the patient’s caregiver. If he wasn’t, a red flag would be raised.
This privacy-breach audit and investigation was not related to another announced on June 14, Carr said. In that case, two non-clinical support staff were fired after they snooped through the files of 198 family members, friends and prominent people.
In April 2015, a long-term central Vancouver Island health professional was fired for looking at the records of 39 family, friends and co-workers in 2014.
In a case uncovered in October 2014, two nurses were fired for viewing the electronic files of 112 family, friends and co-workers since January 2012.
Last month, outgoing privacy commissioner Elizabeth Denham called on the province to step up its privacy laws and impose fines of up to $50,000 for health-care workers found snooping.
“We certainly need to continue to become more sophisticated in terms of the protections and controls we put in place that prevent people from doing this,” Carr said. “I would also agree with the privacy commissioner there should be a different range of penalties, including financial penalties.”
NDP health critic Judy Darcy said the province’s privacy laws need to be moved “into the 21st century.”
“The province and Island Health have to take a long hard look at what is needed,” Darcy said.
Carr said Island Heath, which has been updating privacy training in place since 2002, has introduced a confidential information management course that is mandatory for all employees.
“We are actively rolling it out now,” Carr said. “And I’ve indicated to the organization I expect people to have completed the module by September.”