Saskatchewan Health employee snooped on 880 patients

REGINA – The Saskatchewan Information and Privacy Commissioner is recommending that the Saskatchewan Health Authority fire an employee who improperly accessed the private information of 880 people in the Estevan area.

A spokesperson for the SHA said in an email that the employee is not currently working and the Authority is reviewing its options, including terminating the person’s employment.

The breaches were made using Procura, an electronic medical record system used throughout the province, between June 2010 and May 2017, according to Ron Kruzeniski’s (pictured) report on the matter.

Procura is also very thorough, containing information on people such as name, contact information, health services number, physician name, records of visits with physicians, consultation reports, investigation reports, diagnostic results, bills and correspondence.

The information was “need-to-know” and the employee did not need to know. Suspicions were raised when the employee discharged someone using Procura, which was not a function of their job.

The employee was interviewed by health region authorities and had their duties outlined, but went on to improperly access information two other times after the meetings, the ruling says.

Authorities were made aware of a possible breach that May. Everyone whose privacy had been breached was notified, except for the 266 people who had died.

Although there was no privacy officer working within the Sun County Health Region, as it was known before it was amalgamated into the SHA, Kruzeniski recommended that SHA develop a policy to ensure that a privacy officer is notified of a possible breach as soon as it is suspected.

He also recommended that the health authority notify his office of breaches sooner, as Kruzeniski’s office was notified eight months after the breach was discovered.

Lastly, he recommended that the SHA refer the matter to the Ministry of Justice for possible legal action.