Breach receives little attention from privacy office

CALGARY – A woman who was accidentally given private medical information belonging to dozens of other people says she alerted the provincial privacy commissioner’s office but has been frustrated by the slow pace of the investigation.

According to CBC News, a doctor handed Dallas Diamond (pictured) a list of her mother’s prescriptions when her mom was discharged from the Peter Lougheed Centre hospital in 2013.

Later she noticed the stack of papers included six additional pages that weren’t supposed to be there, including the full names, attending physicians and medical diagnoses of 33 other patients on her mother’s unit.

“There is no way a copy of this should have been given to me,” Diamond said.

She says she alerted Alberta’s privacy commissioner to the error via registered letter in May 2015 and has been emailing the commissioner’s office ever since, with no resolution.

“My frustration is I keep getting brushed off,” Diamond said.

At first, she says, the commissioner’s office told her she wasn’t able to make a formal complaint because it wasn’t her own health information that was involved.

After several emails back and forth, she was told on Jan. 16, 2016, the commissioner “has agreed to investigate the matter on her own motion.”

The investigation continues, and Diamond said she’s received no update about its status or any guidance about what to do with the six-page document.

She’s also been left wondering if the patients whose information is contained in the documents have been notified of the breach.

“I know that if my information had been given to someone mistakenly, I would really want that taken care of in a timely manner,” she said. “And this is going on years now.”

An Alberta Health Services (AHS) spokesperson confirmed the privacy commissioner is investigating the matter and referred questions to that office.

The commissioner’s office typically doesn’t comment on the specifics of active investigations, but spokesperson Scott Sibbald said in general it’s up to the relevant health care “custodian” – a legal category that could include a physician, a hospital or AHS itself, depending on the situation – to notify patients of a privacy breach.

Sibbald said the privacy commissioner’s office “does not notify affected individuals, nor can we require custodians to notify under the Health Information Act.”

John Church, an associate professor at the University of Alberta who studies health policy, said accidental breaches of private information are bound to happen from time to time within a massive organization like AHS, but he would expect a quicker response once the error has been noted.

“I’m a bit surprised that there has been such a delay in following up on it,” he said.

Given that the breach was relatively small and appears to have no malicious intent behind it, Church said it’s possible the case simply hasn’t been a high priority to investigate.