New details on Inuvik hospital data breach revealed in Privacy Commissioner's annual report

Health information custodians in the N.W.T.'s public sector are still "far from compliant" with the Health Information Act, according to the territory's Information and Privacy Commissioner (IPC).

In her latest annual report,tabled Tuesday in the legislative assembly,ElaineKeenan-Bengts says that even though there has beensome progress on the development of systemwide standards, policies and procedures, there is still "much work" to be done.

The N.W.T. Health Information Act came into effect in October 2015, andis meant to govern how personal health information is collected and disclosed.

In the period between April 1, 2016 and March 31, 2017, The IPC's office opened eight files under the Health Information Act, including three breach notifications. One was received from the BeaufortDelta Health and Social Services Authority (BDHSSA), involvingthe inappropriate access of patient records at theInuvik Regional Hospital.

• Inuvik hospital employees inappropriately accessed patient records, say health officials

In May 2016, the hospital sent letters to 67 patients, informing them their health records had been compromised. The BDHSSAreceived46 recommendations from external investigators as a result of the incident.

In her report, Keenan-Bengts gives a more detailed explanation of the breaches, saying that it appearedclinic staff were using the electronic MediPatient system to view patient information.

The breaches came to light when a patient, surprised to have a clerk visiting him/her with information on his health, complained to the CEO of the hospital.

An internal investigationshowed that "the clerk in question had accessed the inpatient bed history many hundreds of times, mostly after 5:00 pm, during lunch breaks, coffee breaks and during walkin clinics."

The BDHSSA then conducted a wider investigation,findingthat six staff members had "very likely been breaching patient privacy on a regular or semiregular basis."

Keenan-Bengts' reportstated a "culture of inappropriately accessing patient information" existed within the clinic. One staff member was terminated, whileothers were "suspended with pay for a period of time."

Full-time privacy officer for each region recommended

Keenan-Bengts' report said that the snooping was limited to the Inuvikclinic, but she proposed territory-wide recommendations, including the creation of a full-time position of Privacy Officer in each N.W.T. region.

She also said that the MediPatient system, which is used by several territorial health and social services authorities,should be "reconfigured or changed" so it can protect people's information better.

In her recommendations, Keenan-Bengts says the systemshould be configured "so as to send up clear onscreen warnings when a user is accessing or attempting to access information beyond that which they have been given access."

Keenan-Bengts believes that the MediPatient system "does not have the functionality to ensure that the rights granted to individuals under the Act are capable of being met.

"None of the electronic medical record keeping systems in use in the Northwest Territories, at least at the government level, have the capacity to mask either parts or the whole of an individual's record," the report reads.

• View the annual report (PDF)