Privacy commission flooded by breach reports

EDMONTON – Reports of privacy breaches in the healthcare sector have soared in Alberta since new provincial regulations requiring mandatory reporting were put in place, according to the Office of the Information and Privacy Commissioner (OIPC).

“[They’re] more common than I think anyone in the health sector would like to admit,” Scott Sibbald (pictured), spokesperson for the OIPC told CBC News.

It has been mandatory to report such breaches to the privacy commissioner since Aug. 31, 2018, when the Alberta government brought in changes to the Health Information Act, which governs all health regulated health professionals.

Prior to the change, the OIPC would receive about 130 voluntary breach reports a year from both inside and outside AHS. In the first year after the new regulations came into effect, it was inundated with more than 1,000 reports.

For example, the office announced in early October that a former Alberta Health Services (AHS) clerk was charged and subsequently fined $8,000 for the unauthorized accessing of health records of 81 people on 471 occasions at the Michener Centre in Red Deer.

The OIPC has also been notified about other recent breaches within AHS. They include the disappearance of an unencrypted hard drive containing the personal health information of 650 patients at the Mazankowski Alberta Heart Institute in August, and the inappropriate access of 2,158 electronic health records by Alberta Public Laboratories staff at the Red Deer Regional Hospital earlier this year.

Sibbald says prior to mandatory reporting, the office was investigating five or six offences at any given time. There are currently 20 open investigations, with more than 70 cases flagged as potential offences.

According to Sibbald, most of the cases relate to simple problems – often the result of human error – such as a misdirected fax or email.

But the office is also dealing with increasingly complex breaches relating to inappropriate patient file access.

“We are, of course, seeing more incidents that are a result of snooping. So that’s authorized users of health record systems looking into health information that they don’t need to for their job,” he said.

The influx of reports is putting a strain on OIPC staff. “Considering how resource intensive and time sensitive these types of investigations are to meet the threshold before the courts, it’s really flooding the office at this time,” Sibbald said.

During the first eight months after mandatory reporting came into effect, 40 to 45 percent of the breaches flagged to the privacy commissioner came from within AHS.

“We do take it very seriously,” said Todd Gilchrist, an AHS vice-president. “Unauthorized access is disappointing when it happens and is something that should not continue to happen.”

According to Gilchrist, AHS officials are working to crack down on these kinds of privacy violations and are taking steps to educate staff through several new programs, including:

• A new privacy protection and information access policy (July 2018).
• “Infocare,” which offers privacy and information security training to staff and provides “an easy way for the reporting of breaches and security incidents” (February 2019).
• Mandatory privacy training modules (June 2019).

Gilchrist says there is no software system in place right now to actively monitor for unauthorized access of electronic health records. Instead, random audits are conducted manually after a problem is flagged.

But Gilchrist says plans are in place to improve that when the first wave of Connect Care, a central access point for patient information, starts rolling out next month.

According to Gilchrist, the electronic information system will have intelligent software in place that actively monitors for breaches.

“This new smart auditing tool will allow us to have more defined levels of security clearance but then also – when it comes to auditing – it will no longer be the manual process. And the intelligent software will always be working across the system, as opposed to just targeting in and looking at specific access.”