Doctors snooped in Humboldt Broncos records

REGINA – Saskatchewan’s privacy commissioner has found eight people inappropriately gained access to the electronic health records of 10 Humboldt Broncos team members involved in a bus crash last April.

Sixteen people were killed and 13 were injured in the crash between the junior hockey team’s bus and a semi trailer at a rural Saskatchewan intersection.

“Due to the high-profile nature of the crash, eHealth Saskatchewan understood the risk of snooping,” said a report from information and privacy commissioner Ronald Kruzeniski (pictured).

The report said the health agency began monitoring the profiles of the patients, which included lab results, medication information and chronic diseases, three days after the crash.

“Between April 9, 2018, and May 15, 2018, eHealth detected eight users of the viewer, mostly physicians, accessed without apparent authority the profiles of 10 patients.”

The report shows eHealth reported the breaches to the privacy commissioner July 5.

“This has been a major tragedy in our province and I’m disappointed that people got tempted,” Kruzeniski said in an interview with The Canadian Press. “Now that it’s happened, it’s my job to work with others through education and legislative change (to) make the system work.”

His report, which has been posted online, detailed the privacy breaches. In one case, an employee of a medical clinic examined the health information of three people involved in the collision.

The assistant admitted she consulted the records because “her family members had heard one of the individuals had died and she wanted to verify the information; she thought another individual was a patient … (and) she wanted to verify a detail that was reported by the media about one of the individuals.”

The report said the employee’s access to eHealth was suspended and she was given further training, but she has since resigned.

Another case involved a doctor at a Humboldt clinic who viewed the records of two people, including one who was a patient prior to the crash.

“Dr. D wanted to know what injuries the individual sustained, if the individual received care or if it was an instant fatality,” said the report. “For the other individual, it explained Dr. D was concerned.”

Other cases included three doctors who provided emergency care at the Nipawin Hospital and who reviewed patient records of those they treated. “They believed they were in the individuals’ ‘circle of care,”’ said the report.

The privacy commissioner said the province’s Health Information Protection Act does not address circles of care so the doctors were no longer authorized to access the records.

“You are entitled to access when you have a need to know, not an anticipated need, not, ‘Gee, I might like to know.”

Another case saw a medical resident view the information of three patients because she wanted to get closure on the cases, which is not an acceptable reason.

During the monitoring period, two other medical residents looked at the records of one crash patient when the residents were reviewing the records of dozens of other patients with a particular illness.

Kruzeniski made a number of recommendations to eHealth – including that it conduct regular monthly audits for the next three years of the physicians involved.

Kruzeniski also recommended that the organization comply with a need-to-know principle rather than a circle-of-care concept and that users of electronic records be made to regularly review their training.

A statement from eHealth said it took a number of measures to address the breaches, including notifying the privacy commissioner and the families affected.

It terminated the account of the medical office assistant, suspended the accounts of the medical residents until they had further training and sent letters to the doctors. It’s also reviewing the recommendations from the privacy commissioner.

The Saskatchewan Health Authority said it is following up on the report and apologized to the patients and their families.