NS probe uncovers more than 1,200 privacy breaches

HALIFAX – As part of an ongoing investigation, more than 1,200 privacy breaches were discovered at Nova Scotia Health. The effort began in August 2020, when the organization discovered eight employees snooping into the electronic health records of people associated with the mass casualty events of April 18 and 19, 2020.

Further investigation revealed that the workers had looked into many patients’ records over many years. “They looked up friends, colleagues, and acquaintances when they were not providing care to these people,” a release from the privacy commission said.

In total, the probe uncovered more than 1,200 privacy breaches affecting 270 people, according to a news release from the Nova Scotia privacy commissioner’s office.

The eight employees included a booking clerk, a booking and registration clerk, a ward clerk, a nurse navigator, a nurse practitioner, an admitting clerk, a secretary at an outpatient clinic and a secretary at a regional hospital.

The penalties against the employees ranged from verbal warnings and one-day suspensions to termination.

In some cases Nova Scotia Health did not properly follow up on the breaches or ignored its own policies, Privacy Commissioner Alicia Ralph (pictured) said in her report on the situation.

The nurse practitioner’s access to electronic systems was never suspended and there was no additional auditing of the NP’s activities, a contravention of policy.

The admitting clerk had access to health records throughout the NSH investigation. The worker was eventually fired but continued to have access to NSH systems three days after the termination.

The secretary at the outpatient clinic, who was responsible for 612 privacy breaches affecting 146 people, was fired on June 19, 2020, but their access to NHS systems wasn’t cut off until July 6, 2020.

The booking clerk, who was responsible for 524 breaches affecting 101 people, was fired on Aug. 4, 2020.

The commissioner did not release locations of the places where the breaches occurred.

Nova Scotians have no choice but to trust NSH with sensitive personal health information if they are to receive healthcare, the release said.

Ralph determined that while NSH does have privacy-relevant policies and protocols, they are at times outdated, unclear and in many cases not followed.

“Robust policies, compliance monitoring, and strong training along with enforcement of penalties for non-compliance are essential to protecting the privacy rights of Nova Scotians,” Ralph said in the release.

In 2016, NSH implemented a provincial privacy office with a privacy manager leading a team of four officers, one for each health zone.

But Ralph found weaknesses in NSH’s response to the breaches. She said policies, training and penalties are not always enough to deter some employees from snooping. NSH should take steps to revamp its electronic information systems so only those who have an active clinical relationship are allowed to view that patient’s medical information.

“If you can’t access the information, you can’t snoop into it.”

Ralph made 12 recommendations to NSH that aim to correct weaknesses in its information practices with the goal of preventing future privacy breaches.

The release said NSH is considering the report “and has preliminarily indicated that it intends to accept most of the recommendations. NSH will have 30 days to formally decide whether it will follow Commissioner Ralph’s recommendations.”

In general, she wants NSH to strengthen its privacy management program.

“Privacy should be a core organizational value baked into day-to-day operations.”

In an emailed statement, NSH offered an apology to the patients whose information had been compromised.

“This breach added further unnecessary harm to the families of those who lost loved ones in April 2020. We deeply regret that this breach took place. It is essential that Nova Scotians trust us to protect their personal health information. It is shared with us at a time when you’re at your most vulnerable and should never be subject to the curiosity of others.”

The snoopers’ actions do not reflect its corporate culture or the behaviour of most of its staff and physicians, the statement said.