New details on Inuvik hospital data breach revealed in Privacy Commissioner's annual report - Action News
Home WebMail Saturday, November 23, 2024, 01:34 AM | Calgary | -11.7°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
North

New details on Inuvik hospital data breach revealed in Privacy Commissioner's annual report

In her annual report, the N.W.T.'s Information and Privacy Commissioner says that health information officials are still 'far from compliant' with the territory's Health Information Act, citing a data breach at the Inuvik Regional Hospital in 2016.

Six employees inappropriately accessed patient records in 2016, one was terminated

The N.W.T.'s Information and Privacy Commissioner's annual report reveals new details about a 2016 privacy breach at the Inuvik Regional Hospital, in which six employees inappropriately accessed patient records. (CBC)

Health information custodians in the N.W.T.'s public sector are still "far from compliant" with the Health Information Act, according to the territory's Information and Privacy Commissioner (IPC).

In her latest annual report,tabled Tuesday in the legislative assembly,ElaineKeenan-Bengts says that even though there has beensome progress on the development of systemwide standards, policies and procedures, there is still "much work" to be done.

The N.W.T. Health Information Act came into effect in October 2015, andis meant to govern how personal health information is collected and disclosed.

In the period between April 1, 2016 and March 31, 2017, The IPC's office opened eight files under the Health Information Act, including three breach notifications. One was received from the BeaufortDelta Health and Social Services Authority (BDHSSA), involvingthe inappropriate access of patient records at theInuvik Regional Hospital.

In May 2016, the hospital sent letters to 67 patients, informing them their health records had been compromised. The BDHSSAreceived46 recommendations from external investigators as a result of the incident.

Elaine Keenan-Bengts is the N.W.T.'s Information and Privacy Commissioner. In her annual report, she writes that health information custodians in the public sector are still 'far from compliant' with the territory's Health Information Act. (Jane Sponagle/CBC)
In her report, Keenan-Bengts gives a more detailed explanation of the breaches, saying that it appearedclinic staff were using the electronic MediPatient system to view patient information.

The breaches came to light when a patient, surprised to have a clerk visiting him/her with information on his health, complained to the CEO of the hospital.

An internal investigationshowed that "the clerk in question had accessed the inpatient bed history many hundreds of times, mostly after 5:00 pm, during lunch breaks, coffee breaks and during walkin clinics."

The BDHSSA then conducted a wider investigation,findingthat six staff members had "very likely been breaching patient privacy on a regular or semiregular basis."

Keenan-Bengts' reportstated a "culture of inappropriately accessing patient information" existed within the clinic. One staff member was terminated, whileothers were "suspended with pay for a period of time."

Full-time privacy officer for each region recommended

Keenan-Bengts' report said that the snooping was limited to the Inuvikclinic, but she proposed territory-wide recommendations, including the creation of a full-time position of Privacy Officer in each N.W.T. region.

She also said that the MediPatient system, which is used by several territorial health and social services authorities,should be "reconfigured or changed" so it can protect people's information better.

In her recommendations, Keenan-Bengts says the systemshould be configured "so as to send up clear onscreen warnings when a user is accessing or attempting to access information beyond that which they have been given access."

Keenan-Bengts believes that the MediPatient system "does not have the functionality to ensure that the rights granted to individuals under the Act are capable of being met.

"None of the electronic medical record keeping systems in use in the Northwest Territories, at least at the government level, have the capacity to mask either parts or the whole of an individual's record," the report reads.