A breach of privacy report was released last week into an incident where confidential information was faxed by mistake from Saskatoon to a North Battleford computer store.
Kelly’s Computer Works in North Battleford received the fax, according to the Oct. 10 report of Ronald Kruzeniski, Saskatchewan Information and Privacy Commissioner. The local business informed the privacy commissioner of the breach on Sept. 7, and an investigation was launched.
According to the commissioner’s report, the fax originated from Saskatoon Regional Health Authority, Non-Invasive Cardiology, St. Paul’s Hospital in Saskatoon. The intended recipient was Dr. Arstides Rodriguez Naranjo, with the fax cover sheet addressed to a “Dr. Rodriguez.”
According to the privacy commissioner, the fax contained one patient’s exercise tolerance results.
Information in the fax included the patient’s name, medical record number, provincial health number, date of birth, age, gender, type of medication the patient was taking, results of the cardiac test, conclusion of the test and recommendation for an additional cardiac test for the patient. In his report, the privacy commissioner determined that SRHA had adequately contained the breach and had also notified the patient.
The investigation determined a medical office assistant in the non-invasive cardiology department “had inadvertently sent the fax to the incorrect fax number,” according to the report.
Moreover, this is not the first time a fax has been sent by mistake to Kelly’s Computer Works.
In Jan. 2017, the privacy commissioner had also been notified by Kelly’s Computer Works of a misdirected fax that it had received. It had also been sent by the non-invasive cardiology unit at St. Paul’s Hospital and had also been intended for Dr. Rodriguez.
The privacy commissioner ultimately found that SRHA’s faxing practises “do not follow its internal policy and procedure regarding faxing personal health information.”
Those policies included notifying the recipient by telephone that confidential or personal information was being transmitted; to ask the receiver to stand by the fax machine to receive the information; and to ask the receiver for confirmation of receipt of the information.
As for how to prevent this from happening again a number of options were contemplated.
In his final report, Kruzeniski indicated his office has asked the SRHA to explore options to “block outgoing fax numbers from either the fax machine or through its telecommunications service provider.” However, the health region found that neither the fax machine nor the telecommunication service provider had the ability to block outgoing fax numbers.
Kruzeniski also made a draft recommendation that the SRHA “implement mandatory annual privacy training for all employees.” However, he also noted that in response to the draft investigation report, SHRA indicated it was “difficult to respond to this recommendation as all 12 Saskatchewan regional health authorities were in the process of transitioning into one provincial health authority.”
The privacy commissioner stated he was hopeful the SHRA and staff will “encourage and promote mandatory privacy training and the new Saskatchewan Health Authority will adopt a policy of mandatory annual privacy training for all employees.”
