An investigation into a 2016 privacy breach at Alberta Health Services is laying blame on the health authority for not doing enough to safeguard sensitive health information.
The Office of the Information and Privacy Commissioner (OIPC) launched an investigation after the public was informed on Sept. 26. 2016 that a former employee of the Alberta Hospital Edmonton had improperly gained access to more than 1,300 individuals’ health information between 2004 and 2015 through the province’s electronic health record system, Alberta Netcare.
In addition, the demographic information of about 11,539 people had been accessed through the Netcare Person Directory. The breaches were found through an audit of the employee’s access in the Netcare systems.
AHS fired the employee after a review of her accesses.
According to the OIPC, coworkers had come forward a number of times between March 2014 and July 2015 with concerns about the employee’s improper use of Netcare.
“These individuals were generally concerned that their health information had been accessed for unauthorized purposes, and wanted to know why their information had been accessed,” the OIPC said in a release.
“A number of complainants also expressed concern that the employee’s actions went undetected for such a long period of time.”
Considering the number of complaints and the number of people impacted, the investigation, led by commissioner Jill Clayton, was expanded to examine whether the employee’s access was in line with the Health Information Act (HIA) and whether AHS took the right precautions to ensure the safety of the health records.
“This investigation highlights a significant breach of privacy where the focus of the investigation shifted from the employee to AHS’ implementation of safeguards,” Clayton said.
“This report should be a wake-up call for anyone responsible for protecting Albertans’ health information, alerting them to the potential consequences if they fail in their duty to implement and maintain reasonable safeguards to protect health information.”
Amendments came to the HIA in August that introduced a fine of at least $200,000 for “a person who fails to take reasonable steps in accordance with HIA regulations to maintain safeguards to protect against reasonably anticipated threats to the security of health information,” the OIPC said.
The OIPC said four recommendations were given to AHS as a result of the investigation. It also said that during the course of the investigation, AHS took several steps including focusing on HIA training for employees and doing an audit of its auditing processes.