OSHAWA, Ont. – Lakeridge Health notified 578 people last month that their hospital records were inappropriately accessed. Hospital officials say 14 staff members who provide mental health services have been disciplined over the privacy breach, which occurred during a 10-year period between December 2004 and summer 2014.
“We’re letting the community know, we’re advising patients – those who have had their records accessed – that it’s formally a privacy breach,” said Kevin Empey (pictured), the hospital’s president and CEO. “We have engaged the Privacy Commissioner of Ontario to make sure we’re following their protocol on how we communicate with patients and manage the issue.”
The breach was flagged by auditing software that monitors access to patient records. Mr. Empey said that only staff who are in a patient’s “circle of care” – directly involved in their treatment – should be looking at electronic health records.
The 14 staff members had been accessing information about previous patients as well as patients’ family members. “What we have concluded is this was curiosity or concern about people that had been patients of theirs before,” said Mr. Empey.
He said the information was not sold or released outside of the hospital, as was the case at Rouge Valley Health System where a former clerk was recently charged with selling information of about 8,300 patients to financial companies.
“To (the 14 Lakeridge staff involved) it was an innocent check; maybe someone was in a different department before and they went ‘are they OK?’,” said Mr. Empey. “Staff rationalized it as it’s just my eyes … it’s not like the Rouge scenario where I’m selling something.”
Hospital officials are attempting to contact every patient whose records were inappropriately accessed and Mr. Empey said about 20 have contacted the hospital with follow-up questions.
“What we’ve done is we’ve written a letter to all of the patients, we’re following up with phone calls, some of them are proving hard to locate.”
Though he said 14 staff members were disciplined, Mr. Empey did not specify what form the discipline took, saying that in some cases it was minor and in some cases it was major.
Lakeridge staff sign a code of conduct when they’re hired that includes provisions on patient privacy and as a result of the incident, Mr. Empey said staff will be asked to sign the code every year as a reminder of their responsibilities. Further, as president and CEO he will be raising the issue of privacy with staff.
“It’s very upsetting, I’m not at all happy about this and it’s made me realize I haven’t been talking about privacy, it’s just expected that’s how we should behave,” he said.
Mr. Empey said the hospital continues to improve the detection side and the auditing process for finding privacy breaches and said the auditing team has started contacting other hospitals to learn from them. There will also be some restrictions on what portion of patient records staff can access, but Mr. Empey said there are challenges to limiting access for hospital workers.
“We have to make sure we don’t tie ourselves in knots and prevent healthcare from happening,” he said. However, he doesn’t believe a solution will come through software.
“The fundamental control is not the computer program, it’s the awareness and the staff understanding their responsibility to treat the information very carefully.”
As to whether he expects a lawsuit as a result of the privacy breach, Mr. Empey said he doesn’t know, but he said there’s no evidence the information has been used for any purpose that would harm anyone. Mr. Empey points out that 578 may be a large number but across Durham, Lakeridge serves 250,000 to 300,000 patients per year.