200 records breached at Hamilton doctor’s office

Ann-CavoukianOntario’s former privacy commissioner is concerned after the medical privacy of more than 200 patient records was breached within a Hamilton doctor’s office. The Hamilton Family Health Team – a nonprofit corporation that provides clinical and administrative assistance to 166 doctors – recently confirmed that personal letters were sent out to 204 patients last week to inform them of a privacy breach of its files at a local doctor’s office.

While the HFHT refused to identify the doctor’s office in question, Terry McCarthy, executive director and privacy officer, confirmed the breach involved “an unauthorized, remote viewing” of some electronic patient files.

“That’s hacking,” says former provincial privacy commissioner Ann Cavoukian (pictured). “You don’t have someone snooping (in the office). You have potentially widespread access online.”

It was detected in September, McCarthy said, during a routine privacy audit – during which the HFHT offers technical support – by the practice manager of a physician’s office that had recently taken over a roster of patients from another.

In this case, McCarthy says the doctor immediately contacted the electronic medical record vendor and blocked further access. They then contacted the privacy commissioner.

The HFHT – which also provides privacy training and will act as privacy officers – assisted with a detailed audit of the files that had been accessed, and confirmed Tuesday that none had been altered.

But Cavoukian, who is now executive director of the Privacy and Big Data Institute at Ryerson University, said the situation is still “enormously” concerning.

“Personal health information is the most sensitive type of personal information out there, and it deserves the strongest protections,” she said.

“Obviously if you are dealing with electronic medical records, you must have the strongest security possible. People need to be assured their data is going only to the intended parties.”

The privacy commissioner’s office said that without the name of the doctor’s office, it could not confirm reports of a breach or offer additional information.

Cavoukian said she would like to know why the office in question has not been identified publicly, outside the letters.

McCarthy says the letters were sent to patients Friday and required a signature upon delivery. Two patients have so far called in, he said.

Source: The Hamilton Spectator

Tagged