Patient record breach discovered in Manitoba

WINNIPEG – Manitoba Health is investigating the case of a former employee who inappropriately accessed the personal health information of at least 13 people. The violation of the Personal Health Information Act involved the province’s Drug Programs Information Network (DPIN) computer system, said Bernadette Preun (pictured), assistant deputy minister of provincial policy and programs with Manitoba Health, Healthy Living and Seniors.

The department said it received a complaint from an external agency about a staff member working for the department. “When it was clear that a breach occurred, we reported it to the ombudsman,” Preun told the Winnipeg Free Press. The employee’s access to personal health information was revoked immediately, she said. The worker is no longer employed by the province.

The department said it is contacting individuals affected by the breach. If others are identified during the investigation, they will be notified, too.

The inappropriate information was gathered from the Drug Programs Information Network (DPIN) computer system. The electronic, online drug system links all community pharmacies but not pharmacies in hospitals or personal care homes, the Manitoba Centre for Health Policy says.

The network captures information about all Manitoba residents, including most prescriptions dispensed to those holding First Nation status. The network contains information such as unique patient identification, age, birth date, sex, medication history, over-the-counter medication history, patient postal code, new drugs prescribed, date dispensed and unique pharmacy identification number.

Preun wouldn’t specify when the information was inappropriately accessed but said it was over an “extended period of time – years” until after 2013. That’s when the Personal Health Information Act was amended to include the possibility of prosecution when someone abuses their access to personal health information and violates the privacy rights of others.

The Personal Health Information Act was passed in 1997 to ensure an individual’s access to their personal health information and to ensure the privacy of personal health information maintained by healthcare providers and facilities, government and other public bodies.

Not all department employees have access to personal health information. Those with access are only authorized to access information if it is necessary to carry out their responsibilities based on the employee’s defined work requirements. Preun said authorized workers receive comprehensive and ongoing training on the act, its rules and requirements and the consequences of violating it.

The department is turning over the information it has uncovered to the ombudsman and a formal investigation is underway. Preun wouldn’t say if police will be called in. “We’re not at that stage yet.”