Nova Scotia’s information and privacy commissioner has slammed the province’s Department of Health and Wellness as well as Sobeys for their failure to adequately monitor access to personal health information and for allowing intrusion into the private lives of patients to become a “real and present danger” in the province.
The condemnation comes as part of two investigations conducted by Catherine Tully that were released on Wednesday.
Tully investigated a series of privacy breaches by a pharmacist employed as the manager at a community pharmacy operated by the Sobeys National Pharmacy Group.
Although the privacy commissioner did not name the pharmacist in her report, the Nova Scotia’s College of Pharmacists has confirmed that Robyn Keddy is the pharmacist in question.
A cached version of the website belonging to the Sobeys store in Greenwood, N.S., lists Keddy as the pharmacy manager. The page was updated on Wednesday to remove the information.
Tully says Keddy snooped into the electronic personal health information — including prescription history and medical conditions — of 46 people over a two-year period in order to “satisfy personal curiosity.”
READ MORE: N.S. privacy watchdog says province’s laws need to change
“Access to this information for purposes not related to providing health care is a serious invasion of an individual’s personal life and an abuse of authorized user access privileges.”
The data breach
Get weekly health news
Keddy began working for Sobeys in June 2015, being granted access to the province’s drug information system (DIS), which includes the medical histories of people living in Nova Scotia.
Beginning in October 2015 Keddy began to access health records while creating 28 false profiles in order to access information of those who were not customers of the pharmacy she worked at.
“The pharmacist created false profiles and falsely claimed that individuals had consented to the creation of the record,” Tully wrote in her report.
Keddy reportedly discussed with fellow employees the inappropriate access she gained and witnesses also reported her discussing personal information over the telephone.
WATCH: Halifax Excel program registration shut down because of ‘privacy breach’
According to the report, Keddy was able to look up DIS information on:
- Her child’s girlfriend and their parents
- Her child’s friends and acquaintances
- An individual she had been involved in a car accident with
- Her child’s teachers and former teachers
- Her relatives, some of whom were dead
- Her former high school classmate who had recently suffered a significant illness
- Co-workers
The inappropriate access ended in August 2017 after the Department of Health and Wellness conducted an audit of user activity and discovered Keddy’s actions.
“As soon as we became aware that the employee in question breached their employment contract with us, in addition to breaching their professional obligations as a licensed pharmacist, the individual was terminated immediately,” Cynthia Thompson, vice-president of communications for Sobeys, said.
But the breach didn’t end there.
“The pharmacist used and shared the personal health information and continued to do so after she was dismissed by the pharmacy.”
A disciplinary decision on the Nova Scotia’s College of Pharmacists website indicates that Keddy’s licence has been suspended for six months as a result of her conduct.
She’s also been required to pay a fine of $5,000 to the college.
READ MORE: Department of Community Services most affected by Nova Scotia data breach
‘Inadequate’ investigation by Sobeys and Department of Health
Tully’s reports indicate that the initial investigation into the data breach by the department and Sobeys was “inadequate” in multiple areas.
According to the report, Sobeys did not sufficiently communicate with the health department and failed to correctly identify the full scope and nature of the breaches.
Several employees of the Sobeys told investigators with the privacy commissioner’s office that they were aware of the unauthorized access for a period of time but hesitated to file a report because Keddy was their supervisor.
“They feared they would not be believed and they would suffer some form of retaliation,” the report says.
As a result of the investigation Tully has made 10 recommendations for the health department and eight recommendations for Sobeys, all with the goal of strengthening and clarifying the monitoring of health information databases in the province.
Tully’s recommendations urge the department of health to recontact all 46 individuals to determine if the pharmacist has been in contact with them since April 2018.
“If so, the DHW must take further legal action to prevent the ongoing unauthorized use or disclosure of the personal health information,” Tulley writes.
She also recommends that Sobeys update and implement a privacy breach management protocol while deleting all false profiles that were created by Keddy.
Sobeys says that some of the recommendations have already been implemented.
Randy Delorey, Nova Scotia’s Minister of Health and Wellness, was not made available for an interview on Wednesday but the department has issued a statement.
“Protecting the personal health information of Nova Scotians is of the utmost importance and we take reported breeches very seriously. That’s why we’ve been taking steps to improve the system by increasing privacy training for staff and enhancing the collection of information and stats,” the department wrote in an email.
The department says they’ll provide their response to the report’s findings in 30 days.
Comments