Privacy chief suggests prosecuting doc for snooping

IQALUIT, Nunavut – Nunavut’s information and privacy commissioner is asking the territorial government to consider prosecuting a doctor who accessed a colleague’s health records without any medical reason to do so. In a review report, Graham Steele (pictured) detailed how a doctor viewed a colleague’s records numerous times over the span of 18 months following “a workplace incident.”

The report didn’t include any details of the workplace incident. “It is enough to say that the incident was stressful for the complainant, and that the doctor later acknowledged that their conduct was inappropriate and apologized for it,” Steele wrote.

The victim filed a complaint with Steele’s office in December, according to a report by CBC News.

“When confronted with the audit evidence, the doctor admitted that they looked at the complainant’s medical records without any clinical reason,” Steele’s report reads, noting the admission came in a letter to the territory’s medical chief of staff.

“The doctor offered a rationale for the data intrusion, but it is self-serving and scarcely believable. I find the letter constitutes a further privacy breach, because it uses information obtained from the privacy breach to try to justify the privacy breach.”

In a statement to CBC News, the Department of Health said the doctor had left the territory and was on a locum contract when the allegations came to light. Still, the department terminated the doctor’s contract, and said the victim also reported the incident to the Ontario and Quebec licensing bodies.

The Collège des médecins du Québec wrote in an email that it could neither confirm nor deny it was investigating the specific doctor. It said the information only becomes public if the organization decides to file a complaint after completing an investigation. After a complaint is filed, a disciplinary hearing would be held.

The doctor looked through the complainant’s records through Nunavut’s electronic medical records system, called Meditech, which keeps track of who looks at which records.

“Although there was an audit trail, Meditech had no built-in alert system. The doctor’s actions came to light only because the complainant asked, through ATIPP, to see the Meditech audit trail.”

The complainant requested Steele name the doctor in the report, but Steele wrote that he decided not to as it wasn’t deemed necessary and the ATIPP legislation prevents identifiable information unless required.

Steele said the doctor committed two violations of the ATIPP Act, but that to his memory there has never been a conviction in Nunavut for these violations. He added there have been prosecutions for data intrusion in other Canadian jurisdictions.

Steele recommended the Department of Health, in consultation with the Justice department, consider prosecuting the doctor. He acknowledged there are difficulties, including the fact the doctor is no longer living in Nunavut and the fact the maximum fine – which can’t exceed $5,000 for both violations – hardly merits the required cost and effort.

Steele also recommended the department develop a comprehensive anti-intrusion plan and acquire software that will alert it to “red flag” behaviours by users of the Meditech system.

The government isn’t required to follow any of the recommendations.

The violation is technically known as snooping, but the complainant argued that term was too innocent. Steele agreed and instead referred to the violation as a data intrusion.

This isn’t the first incident of data intrusion to occur in Nunavut’s health department.

Steele referred to an incident in April 2020 involving a health employee who looked at a complainant’s record because “his spouse was having an affair with the complainant and he was concerned about the possibility that [the complainant] had tested positive for a sexually transmitted infection.”

The report said the complainant had previously asked Health not to permit the employee to have any access to their records.

“The employee had been warned, both verbally and in writing, that they were not to look at the complainant’s records. Despite the warnings, the audit trail showed the employee did look at the complainant’s records once, for three minutes.”

Steele issued recommendations for that incident which were accepted by the department, but in the report on the newest incident he concluded none of them had been implemented when the latest data intrusion occurred.

A Health spokesperson said in an email the department is in the process of implementing the recommendations, but cited delays caused by COVID-19, the recovery of health systems from ransomware, human resources changes and procurement and review requirements.

Recommendations in progress include:

• Every new health employee signing an oath of privacy protection. The government said this is expected to begin within months.
• Online privacy training. The government said this will be available by the end of the month.
• A system warning system. The government said discussions of this are ongoing, but changes are expected by the spring time.

One of the recommendations the government accepted in 2020 included implementing targeted and random audits. But the report said the government actually rejected that recommendation.

However, the government of Nunavut said in the emailed statement it has procured an audit software system as a proactive solution to the privacy commissioner’s recommendation to regular audits, which is expected in the spring.