Retired doctor did not protect medical records, notify of breach: Sask. privacy commissioner - Action News
Home WebMail Tuesday, November 26, 2024, 06:48 AM | Calgary | -17.5°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Saskatchewan

Retired doctor did not protect medical records, notify of breach: Sask. privacy commissioner

A retired doctor who was careless with medical records that were meant to be shredded needs to notify former patients whose personal data might have been breached,Saskatchewan's information and privacy commissioner says.

Documents that were supposed to be shredded were found intact in Prince Albert

Several garbage bags sit on top of, or next to, half a dozen storage boxes.
Boxes and bags are filled with medical records obtained by the office of the Saskatchewan information and privacy commissioner. (Office of the Saskatchewan Information and Privacy Commissioner)

A retired doctor who was careless with medical records that were meant to be shredded needs to notify former patients whose personal data might have been breached,Saskatchewan's information and privacy commissioner says.

Dr. Lalita Malhotra, aretired doctor in Prince Albert, did not undertake "adequate efforts" to contain or investigate the breach, and did not provide notice about it, Ronald J.Kruzeniskiwrote in a decision dated Dec. 5.

However, he added, she has takenappropriate steps to prevent further breaches of medical records that remain in her possession.

In July, the office of the privacy commissioner's office received a call from Crown Shred and Recyclingin Prince Albert, notifying them that medical records had been found mixed in with regular recycling in the city about 135 kilometres northeast of Saskatoon.

The caller confirmed that records had been dumped at the facility by Greenland Waste Disposal, a locally owned waste management company that serves parts of central and northern Saskatchewan. The records came in through regular community recycling, the decision says.

On Aug. 3, three privacy office staff members went to the facility in Prince Albert to investigate the records, finding several that appeared to have come from Malhotra's office, the decision says.

While they were there, Greenland dropped off a fresh load of recycling that contained even more medical records connected to the doctor's office. The staff members compiled enough records to "likely fill" 55 or more banker's boxes, the decision says.

The deputy information and privacy commissioner contacted Malhotra's office. He left a message for the doctor, but eventually connected with the receptionist who confirmed that a medical office assistant whom they wouldn't name had been disposing of patient medical records, but believedthey had been taken to a place where they would be shredded, the decision says.

Malhotra returned the deputy commissioner's call, explaining they normally would use confidential shredding with the pharmacy next to the clinic, but there was not enough room.

Malhotra said the office assistant and their partner disposed of the records in Greenland's dumpsters, thinking they would be shredded, according to the decision.

Malhotra said she would be sending about 100 boxes of records to a facility in Ontario for secure storage, the decision says.

Doctor did not do enough to contain records

Kruzeniski found Malhotra did not do enough to contain the breach.

Combined, the medical office assistant and their partner dumped 22 boxes of medical records in unlocked Greenland dumpsters from July 13 to Aug. 2. No documents were bagged or labelled, according to the decision.

When Greenland trucks drop off recycling at Crown Shred and Recycling, it's left spilled on the facility's floor, Kruzeniski noted, leavingthe documents open for anyone to see, although there is no evidence that this occurred.

It's also possible his office did not collect all the records that were put in the dumpsters, and they were shipped openly to another facility, which would aggravate the breach, he said.

Piles of cardboard boxes are smooshed together as a freight truck parks in a loading bay.
Greenland Waste Disposal dumps recycling on the floor at Crown Shred and Recycling in Prince Albert, so the medical records could have been accessed by someone at the facility, the decision says. (Office of the Saskatchewan Information and Privacy Commissioner)

"The longer you go with records out of your physical custody or control, the harder it is to know exactly what happened to them," Kruzeniski wrote.

Malhotra took some immediate steps to stop records from being taken to Greenland dumpstersafter she was notified of the privacy breach, the decision says.

However, it appears she did not take further steps, such as contacting the Crown Recycling and Shredding facility in Prince Albert to inquire about whether documents could have gone to other facilities, Kruzeniski wrote.

If the records had gone elsewhere, she could have followed up with them, he wrote, adding thatas the trustee of those medical records, it was her duty to do so.

Kruzeniski also found that Malhotra did not do enough to protect the records, such as documenting them and giving proper instructions for their handling and disposal.

He also questioned why Malhotra did not use the confidential shredding service as her office had when destroying patient records during day-to-day operations. This should have been used for all records she was sending, he wrote.

Malhotra did not notify those affected

Among the records involved were some for past patients whomMalhotra hadn't seen in years and patients who have died, according to the decision. However, there were some recently dated recordsincluding some that contained COVID-19 test results.

As trustee of the documents, it's best practice to notify those affectedunless there are "compelling reasons" not to, the decision says. This should occur as soon as key facts of the breach have been established.

Malhotra might also find recent patients in the records obtained, he wrote, so she should notify the people she thinks she can.

Malhotra replied she would try her best to contact the affected patients, but it mightbe difficult to find current contact information for many of them, so she has proposed announcing the breach in the local newspaper.

Kruzeniski agreed, but noted this should have been done before his office started investigating.

He says the notificationmust include what happened, the type of information involved, a recognition of the possible effects of the breach and an apology.

Kruzeniski recommended that Malhotra notify individualsand the public through the newspaperwithin 30 days of his decision being issued.

He also recommended that she follow through with her commitment to securely shred and store records that are not yet eligible for destructionby Jan. 31, 2023.