A report has been released into a breach of privacy that occurred with Estevan Area Home Care.
Ronald J. Kruzeniski, the Saskatchewan Information and Privacy commissioner, handed down the report on April 30. In his report, he said the former Sun Country Regional Health Authority acted properly with how it handled the investigation, and he also recommended that the new Saskatchewan Health Authority (SHA) terminate the employment of the individual responsible for the breach.
As was reported by the Mercury in March, the employee accessed the personal health information of 880 individuals between June 2010 and May 2017.
An investigation was able to identify all of the home care clients who were affected by the privacy breach. Sun Country determined that 266 of the affected individuals were deceased. The health region provided notification to the 614 affected individuals who were still living.
According to Kruzeniski’s report, the employee was suspected of snooping in an electronic database, Procura, which contained personal health information of homecare patients.
Suspicion was raised when the employee knew more personal health information than what an individual in their position would have needed to complete duties of their position.
Sun Country reported the breach to the privacy office on Nov. 8, 2017, and the following day, Kruzeniski’s office notified the health region that he would be monitoring this matter.
Procura contains the entire health care records of homecare patients. This includes name, contact information, health services number, physician’s name, records of visits with physicians, consultation reports, investigation reports, diagnostic results, bills and correspondences.
Also in his report, Kruzeniski said Sun Country noticed that the employee in question discharged a patient in the Procura system on April 4, 2017. This was not a function of the employee’s position at Sun Country.
“This raised suspicion regarding the employee’s activities in Procura,” he wrote. “Throughout the months of April and May, the home care department investigated this matter. This initiated an extensive audit of all of the employee’s activities in Procura. Thousands of views, edits and deletes were evaluated.”
Sun Country’s privacy officer was not notified of the breach until May 29, 2017. On May 31, 2017, Sun Country restricted the employee’s access in Procura.
“While restricting the employee’s access to personal health information in Procura and then terminating it altogether once a more thorough investigation took place is a right step, it should have occurred at an earlier date,” he wrote. “Sun Country noted that there was no privacy officer in place during the beginning phases of the investigation.”
Also, on May 11, 2017, the home care manager addressed general topics related to the breach with the staff, such as not performing tasks outside of one’s role and the implications that has on the protection of personal health information.
He also recommended that the SHA find ways to formally address breaches in a more timely manner, as it took Sun Country eight months to report the breach.
“Sun Country interviewed the employee in question,” he wrote. “It also interviewed the home care manager at the time the breach was discovered as well as a previous manager. Sun Country also conducted an extensive audit of the employee’s activities in Procura.”
The audit also revealed that the employee had continued to make inappropriate accesses after two initial meetings about the breach, which occurred on April 10, 2017 and May 11, 2017. The employee’s roles and responsibilities with respect to Procura were outlined at these meetings and need-to-know was discussed.
An internal investigation report provided the following action items as its plan for prevention:
· Improve role-based permissions in Procura so that users are given access limited to what personal health information is required for their job function.
· Continue and improve staff education and training on privacy and confidentiality in Procura.
· Implement a “roles and responsibilities” or user agreement for Procura users which will display in the pop up message box that appears every time a user logs into the system. This has been implemented.
· Require all staff to review and sign the Privacy and Confidentiality Pledge annually.
· Develop a new and improved privacy oath, which will be used to have home care employees sign.
· Implement auditing in Procura so that the SHA is able to perform audits on users and do not have to rely on eHealth for this. Develop auditing work standard. This has been achieved.
Kruzeniski also recommend that the SHA forward its investigation file to the Ministry of Justice, Public Prosecutions Division, to determine whether an offence has occurred and whether charges should be laid under the Health Information Protection Act.
Doug Dahl, a spokesperson for the SHA, said the authority is reviewing the recommendations, including those about the employee’s status and the referral to the public prosecutions unit.
“The employee is not currently at work and does not have access to any electronic health records,” Dahl said.
