Justice should look at charging health 'snooper': Sask. privacy commissioner

Charges should be considered in the case of a fired health care worker who snooped on the electronic records of more than 900 patients, Saskatchewan's privacy commissioner says.

The employee, who worked in the Heartland health region, was terminated in August after the privacy breach was discovered and an investigation was conducted.

• RELATED:Employee fired from Sask. health region after 900 patient records breached

At the time, the health region apologized and said it would tighten up its procedures to make sure it couldn't happen again.

Over about three months, 901 patients had their electronic records accessed by the employee, called the "snooper" in privacy commissioner Ron Kruzeniski's report.

The information contained in the system included names, health card numbers, diagnostic results, patient letters.

The employee also printed out a number of private records, including lab reports and patient visit information.

"A review of 12 months of data confirmed the suspicions that that employee in question had been snooping," the privacy report that was released earlier this month said.

The health region, which covers about 41,000 square kilometres in the west central part of the province, sent letters to all patients whose data had been compromised.

That included people in every province from B.C. to Quebec, Yukon, three American states and two foreign countries Finland and Germany.

Kruzeniski said that the breach was properly investigated and responded to, but furtheraction might be appropriate.

"Due to the number of records the employee snooped into, I would recommend that [the health region] provide their investigation file to the Ministry of Justice, public prosecutions division, to review the file and determine whether an offence has been committed and charges should be laid," Kruzeniski said in the report.

However, Kruzenski did not make any recommendations on whetheror not layingcharges would be a good idea.

Any charges would come under the Health Information Protection Act. Under the act, the maximum penalty is $50,000 for an individual ($500,000 for a corporation)and the maximum jail sentence is a year behind bars.