Pharmacist snooped on dozens of patients

HALIFAX – Nova Scotia’s privacy commissioner says she’s shocked by how a grocery-store pharmacist was able to snoop into the electronic personal health information of dozens of people she knew.

Privacy commissioner Catherine Tully warns the breach is indicative of a wider national problem – and demonstrates the “real and present danger” of intrusion into patients’ private lives. “This is a pharmacist, a professional with ethical obligations,” Tully told the Canadian Press.

“It’s shocking that somebody in a position of trust would breach that trust so badly and would fail to recognize the importance of preserving the right to privacy and the integrity of the individuals whose information she breached.”

Tully released two reports in July warning the monitoring of electronic personal health information and databases is a “critical vulnerability” in Nova Scotia.

Tully investigated a series of privacy breaches by a pharmacist employed as the manager at a community pharmacy operated by the Sobeys National Pharmacy Group. She said the pharmacist inappropriately accessed the personal information, including prescription history and medical conditions, of 46 people over two years.

The reports found the pharmacist used Nova Scotia’s Drug Information System (DIS) to get information on her child’s girlfriend and her parents, her child’s teachers and former teachers, co-workers, a former high school classmate who had recently suffered a significant illness, and an individual she had been involved in a car accident with, among others.

She also created fake customer profiles enabling her to see patient information through the provincial drug database.

Some pharmacy employees told Tully’s office they had knowledge of the privacy violations, but they were afraid to come forward because the pharmacist was also the manager.

“An employee witnessed the pharmacist access the DIS in March 2017 and then call her spouse on the phone to discuss what she had discovered. The employee heard the pharmacist say that their child cannot see this person because of the medications she and her parent were on,” Tully’s report said.

“An employee reported that she was consulted by the pharmacist to assist in fabricating reasons for her access of the DIS in response to audit activity by the College of Pharmacists.”

The woman was eventually fired by Sobeys.

Tully said this type of “snooping” is not exclusive to Nova Scotia.

“The report points out all kinds of reports from across the country of this kind of behaviour happening,” she said. “I’m really trying to create some urgency around the need to significantly improve oversight of these types of databases.”

Tully determined the Department of Health and Sobeys National Pharmacy Group failed to adequately monitor access to the data, and that investigations conducted by both weren’t adequate.

She said the Health Department initially told her the breaches had been contained and that there was no evidence of malicious intent.

But her investigation found the pharmacist had also disclosed information to her spouse, and continued to use the health information even after her employment was terminated.

Tully makes 18 recommendations aimed at improving auditing programs and strengthening breach protocols.

One repeats a call she made two years ago calling on the Health Department to take a leadership role in the monitoring of misuse of the database and in carrying out investigations. She said an “entity” has to be created to oversee the system and its “big data.”

She also has made a recommendation directly to Health Minister Randy Delorey that the Personal Health Information Act be amended to lengthen the potential prosecution time to two years.

The report says the Act’s current time limit defaults to six months from the date of the offence.

Sobeys did not reply to a request for comment, but in an emailed statement the Health Department said protecting Nova Scotians’ personal health information is of the “utmost importance,” and reported breaches are taken “very seriously.”

“That’s why we’ve been taking steps to improve the system by increasing privacy training for staff and enhancing the collection of information and stats,” the department said.

The statement said the department would review Tully’s report and recommendations and would provide a response within 30 days, as required under the Personal Health Information Act.

Tully said there’s a need for immediate action.

“It will only get worse,” she said. “We need to get on this … it’s really time to take this seriously and do a much better job.”