Nova Scotia’s Minister of Health and Wellness has responded to a report issued in August that detailed how a Sobeys pharmacist “snooped” through the health information of 46 people — many of whom were not her patients.
“We welcome the opportunity to strengthen privacy and confidentiality features in our information systems,” Randy Delorey wrote in response to Catherine Tully, the province’s information and privacy commissioner, who wrote the original report detailing the privacy breach.
Tully’s report slammed the province’s Department of Health and Wellness as well as Sobeys for their failure to adequately monitor access to personal health information and for allowing intrusion into the private lives of patients to become a “real and present danger” in the province.
WATCH: Sobeys pharmacist in Nova Scotia ‘snooped’ through health information of 46 people
The commissioner investigated a series of privacy breaches by a pharmacist employed as the manager at a community pharmacy operated by the Sobeys National Pharmacy Group.
The pharmacist, Robyn Keddy, reportedly accessed 46 people’s medical and health information through the province’s drug information system (DIS), which includes the medical histories of people living in Nova Scotia.
“Prescription history and medical conditions contain intimate details of a person’s personal life and are among the most sensitive personal health information a custodian keeps about an individual,” Tully wrote in her report.
“Access to this information for purposes not related to providing health care is a serious invasion of an individual’s personal life and an abuse of authorized user access privileges.”
The commissioner also found that the Department of Health and Wellness and Sobeys failed to adequately monitor access to the data, and that investigations conducted by both parties were inadequate.
As a result of the investigation, Tully made 10 recommendations for the health department and eight recommendations for Sobeys, all with the goal of strengthening and clarifying the monitoring of health information databases in the province.
Delorey responded to those recommendations on Monday.
READ MORE: Department of Community Services most affected by Nova Scotia data breach
Government’s response
The Department of Health and Wellness says it is working with the pharmacy organization to “revise and strengthen” its protocols related the DIS system and will soon carry out an audit that will further identify what is needed to strengthen the system.
The province said it had issued a cease and desist letter to Keddy, ordering her: to destroy all documents and other records that contain health information obtained through her inappropriate access of the DIS system; to provide a list of any individuals who had been provided with the information; and to stop disclosing or using the information in any manner.
Keddy’s lawyer responded to each of the directives and said, “there exists no continuing risk from the pharmacist to the individuals whose names and other information were contained in within the DIS.”
The department added that it had already notified all of the affected individuals and that some had already been in contact with the province about the breach.
Delorey’s letter indicates that this was the first breach of its kind in the province and that it accepted, in whole or in part, the other recommendations made by the commissioner.
READ MORE: N.S. privacy watchdog says province’s laws need to change
The data breach
According to Tully’s report, Keddy began working for Sobeys in June 2015, being granted access to the province’s drug information system (DIS), which includes the medical histories of people living in Nova Scotia.
Beginning in October 2015, Keddy began to access health records while creating 28 false profiles in order to access information of those who were not customers of the pharmacy she worked at.
“The pharmacist created false profiles and falsely claimed that individuals had consented to the creation of the record,” Tully wrote in her report.
Keddy reportedly discussed with fellow employees the inappropriate access she gained and witnesses also reported her discussing personal information over the telephone.
According to the report, Keddy was able to look up DIS information on:
- Her child’s girlfriend and her parents
- Her child’s friends and acquaintances
- An individual she had been involved in a car accident with
- Her child’s teachers and former teachers
- Her relatives, some of whom were dead
- Her former high school classmate who had recently suffered a significant illness
- Co-workers
The inappropriate access ended in August 2017 after the Department of Health and Wellness conducted an audit of user activity and discovered Keddy’s actions.
“As soon as we became aware that the employee in question breached their employment contract with us, in addition to breaching their professional obligations as a licensed pharmacist, the individual was terminated immediately,” said Cynthia Thompson, vice-president of communications for Sobeys, said.