More than 2,500 privacy breaches at N.S. health authority in recent years, report says

There have been almost 100 privacy breaches per month on average at the Nova Scotia Health Authority in recent years.

But there is no way for the public to know how many people have been impacted by having private health information improperly shared.

Not even the province's privacy commissioner isfully informedand she wants to see that changed.

"It could be psychiatric notes, diagnoses, procedures you've had that you don't want other people to know about," Catherine Tully said.

CBC used a freedom of information request to obtain the number and kind of privacy breaches at the health authority in recent years.

CBC was told the organization was unable to provide the number of patients who have had their personal information improperly shared.

"Please note that these are counts of breach reports, some breaches may involve more than one person, there is not a way to capture this in reporting at this time," according to a statement included in documents provided.

However, an NSHA spokesperson said the authorityknows the majority of the breaches involve only one patient each and are minor in nature.

Tully said it's important to know how many people are affected in order to assess the seriousness of each breach.

"Was it one person? It could still be a serious breach.Is it 10,000 people? Is it 100,000 people?" she said.

"We have these huge databases in N.S. There could be 800,000 people affected by the breach. That's within the realm of possibility here in Nova Scotia."

The document shows there were 2,562 reports of privacy violations of patients, employees, contractors and volunteers between Oct. 1, 2016 and December 31, 2018.

It provides general descriptions of what happened, for example, inappropriate sharing/disclosure of information to others. It classifies the breaches as no harm, mild harm, moderate harmand severe harm.

Privacy breaches can take many forms. Often, they're unintentional, but some are not.

Numbers provided by the health authority in response to a freedom of information show the number of breaches from employees snooping on patientsin recent years.

Most of the 2,562 breach reports fall within the lesser classifications, as defined by the authority.

Patients must be notified in every instance except for the no harmcategory.

'It makes absolutely no sense'

Provincial legislation requires the privacy commissioner only to be notified about no harmbreaches, meaning they are so minor not even the patient is notified.

"It makes absolutely no sense," Tully said. "I call it the upside-down breach-reporting requirement."

Tully said it's important that minor breaches are reported to her office.

But, she said:"It's also very important that when there is a risky breach where there's harm to individuals [that] there's some independent oversight looking at what happened, what did you do and have you done enough to prevent this from happening again."

There are 68 reports classified as moderate. Only three are categorized as severe.

When the news was shared with Tully, it was the first time she had seen all of the numbers.

Tully said classifying the breaches is subjective and she points out that NSHA classifies "inappropriate sharing/disclosure of information to others" as no harm, mild harm, moderate harm and severe harm in different reports.

There is also no way to know whether the breaches were identified by NSHA staff or patients.

Tully said the province's legislation that only requires no harmcases be reported to her is "completely inconsistent" with every other jurisdiction that has breach reporting, including Europe, Alberta and Ontario.

She has asked government to change legislation "a number of times" so all breaches are reported to her office. The premier said earlier this year he would review the legislation, but made no promises to change it.

"I would like them to add to the law a mandatory requirement that they report breaches to our office where there's a real risk of significant harm and that they do so in a timely fashion," she said, adding that in Europe those breaches are required to be reported to privacy commissioners within 72 hours.

Improvements being made

Tully said the NSHA has been working with her office to improve its breach reporting and has already implemented a number of recommendations her office made a few years ago.

She said health-care providers have started using a new breach reporting form as of April 1.

It will require each report to identify how many people were impacted, although the reports will still only cover no harm breaches.

NSHA responds

While the privacy commissioner may not get information on serious breaches, Colin Stephenson, an NSHA executive, said all privacy breaches are reported, whether to the privacy commissioner, the person impacted or the health authority itself.

He saidnotification is always made to those whose privacy has been breached if there is any chance of harm or embarrassment.

"Our primary obligation, and the most important thing for us to do, is to make sure that individuals who have potentially had their information accessed are notified of that," Stephenson said.

He points out most of the breaches, up to 80 per cent, fall into the no harmcategory, and are reported to the privacy commissioner.

He also said when there is a "significant or substantial" breach, which requires a more thorough investigation, NSHA has, and will continue, to enlist the help of the privacy commissioner.

However, when asked directly whether the NSHA has plans to report all breaches to the privacy commissioner, Stephenson said, "We haven't at this stage made any plans to shift or change what our reporting is."

Tully is urging Nova Scotians to "become activists" around the protection of privacy.

She said Nova Scotians who discover their privacy has been breached by health providers, or who get a breach notification from them, should speak up. She said they can complain to her office, which will determine if an investigation is needed.

Stephenson said any Nova Scotian can, at any time, ask for an audit of their health record to see who has accessed their personal information.