Nova Scotia’s privacy commissioner has described the response by the province’s Health Minister to her report about a pharmacist snooping through the personal health information of 46 people as disappointing, saying that she feels the department is not taking the issue seriously.
Catherine Tully told Global News in a phone interview on Tuesday that the government had declined multiple offers to meet with representatives of the Office of the Information and Privacy Commissioner (OIPC) to discuss her report’s recommendations.
The report had slammed the province’s Department of Health and Wellness, as well as Sobeys National Pharmacy Group, for their failure to adequately monitor access to personal health information and for failing to have effective safeguards in place to protect Nova Scotia from “snooping” behaviour in the province’s drug information system (DIS).
The OIPC had investigated a series of privacy breaches by a pharmacist employed as the manager at a community pharmacy operated by Sobeys.
The pharmacist, Robyn Keddy, reportedly accessed 46 people’s medical and health information through the DIS, which includes the medical histories of people living in Nova Scotia.
Included in Tully’s report were 10 recommendations for the Department of Health and Wellness and eight recommendations for Sobeys that had the goal of securing patient’s information.
The government issued its response to the OIPC’s recommendations last week.
Tully’s assessment of the department’s response found that six of the recommendations were not accepted by the department, two were partially accepted and only two were accepted.
“As a result, there are outstanding risks to the personal health information of Nova Scotians that have not been appropriately mitigated,” Tully wrote in her assessment.
Tully said that the government has failed to adopt some of her most important recommendations, including performing an audit on all companies who use the DIS system to ensure that those companies have the capacity to audit their own staff members who are complying with the system’s user agreement.
“Sobeys has taken this very seriously, they’ve accepted my recommendations and already implemented them,” she said. “The government doesn’t.”
The Department of Health and Wellness disputed Tully’s claims, saying that the department agrees with nine of the 10 recommendations.
They did not provide details on why they believe their response seems to diverge with the commissioner’s recommendations.
“At no point did the department refuse to meet with the privacy office. It was suggested only if the department had questions with regard to the recommendations,” Tracy Barron, a spokesperson for the department wrote in an email.
“If the privacy review officer would still like to meet for further clarification, the Department of Health and Wellness would be happy to do so.”
Under the province’s current legal framework, the privacy commissioner only has the power to recommend changes. Governments are not obligated to follow or implement them.
Tully says that is something that needs to change, with the government modifying the status of the OIPC office to an independent organization accountable to the legislature with actual order power.
WATCH: N.S. Sobeys pharmacist ‘snooped’ through health information
The data breach
According to Tully’s report, Keddy began working for Sobeys in June 2015, being granted access to the province’s drug information system (DIS), which includes the medical histories of people living in Nova Scotia.
Beginning in October 2015, Keddy began to access health records while creating 28 false profiles in order to access information of those who were not customers of the pharmacy she worked at.
“The pharmacist created false profiles and falsely claimed that individuals had consented to the creation of the record,” Tully wrote in her report.
Keddy reportedly discussed with fellow employees the inappropriate access she gained and witnesses also reported her discussing personal information over the telephone.
According to the report, Keddy was able to look up DIS information on:
- Her child’s girlfriend and her parents
- Her child’s friends and acquaintances
- An individual she had been involved in a car accident with
- Her child’s teachers and former teachers
- Her relatives, some of whom were dead
- Her former high school classmate who had recently suffered a significant illness
The inappropriate access ended in August 2017 after the Department of Health and Wellness conducted an audit of user activity and discovered Keddy’s actions.
“As soon as we became aware that the employee in question breached their employment contract with us, in addition to breaching their professional obligations as a licensed pharmacist, the individual was terminated immediately,” said Cynthia Thompson, vice-president of communications for Sobeys.