Eastern Health ordered to tighten security procedures

ST. JOHN’S, NL – Newfoundland and Labrador’s privacy commissioner is ordering Eastern Health to remind staff to log out of computers once they’re done, after investigating a breach of patient information at the health authority.

Information and Privacy Commissioner Donovan Molloy’s report describes the May 28, 2015 incident as an “intentional breach of patient information.”

The report says an unknown person inappropriately accessed and printed personal health information from the account of a doctor who didn’t log out of the Meditech patient information software.

While a number of patients were involved, Commissioner Molloy (pictured) only looked into two specific complaints.

According to CBC News, the information consisted of patient names, MCP numbers, gender, age, hospital admission date, attending physician and reason for visit.

That information was then anonymously sent to the Department of Health and the College of Physicians and Surgeons. The investigation could not determine who committed the breach, so no charges were laid.

“Despite the thorough investigation undertaken – which included attempted fingerprint/DNA analysis of the envelopes sent to the department and the college – Eastern Health was unable to confirm, with the necessary degree of certainty, the identity of the person responsible for the intentional inappropriate access,” the report read.

‘No other avenues of investigation offered any prospect of proving the identity of the offender.’– Commissioner Donovan Molloy.

The report went on to say the physician whose account was accessed was on rounds in another part of the hospital when the records in question were printed and could not have printed them.

It said the doctor maintained he didn’t give his user name and password to anyone, but it appears he did fail to log out of the Meditech system after completing a clinic earlier in the day. The files were later printed at that location from the open account.

The hospital or health centre where it happened was not named in the report.

A release said the breach was outside the health authority’s control and “perpetrated by someone who chose to ignore clear rules and policies regarding the protection of personal health information.”

“This person was able to inappropriately access the information through the account of another doctor when he inadvertently failed to log out of his computer session, contrary to Eastern Health policy,” it read.

Molloy has ordered Eastern Health to look into “automatic log-out times” on its systems and to “remind employees of the importance of logging out of computer sessions and of the consequences for failing to do so.”

He also asked the health authority to look into the feasibility of installing proximity card readers.

They can automatically log in staff when they get close enough to a computer, but log them out when they move outside that area.