Breach identified after personal details circulate in neighbourhood
Eastern Health has terminated five employees in the wake of the health authority’s second breach of confidentiality this year.
Health Minister Susan Sullivan
The latest breach occurred when a nurse who worked for Eastern Health inappropriately accessed the medical records of 122 patients at the Health Sciences Centre in St. John’s.
The information came to light after one of the patient’s neighbours informed her personal information had been circulating the neighbourhood, and was told who the source was.
Eastern Health CEO Vickie Kaminski said “It was brought forward in the last several days from a former patient who said she heard in the community from somebody who had information about her who shouldn’t have and the source was this particular employee.”
Ms. Kaminski was touring the eastern region the end of July with cabinet ministers making a series of health care funding announcements.
The nurse had been employed with Eastern Health 10 years and was fired July 24.
Ms. Kaminski said it was a case of an employee abusing the powers of information they possessed.
CBC News reported nurse Colleen Weeks was one of the fired Eastern Health employees, having received news of her termination in a letter that Tuesday. Contacted by The Telegram, Ms. Weeks declined comment but said she may have more to say later.
Another confidentiality breach occurred in March when medical waste fell from the back of a transport truck and exposed patients' personal information to the public.
Ms. Kaminski said last month’s incident is much more egregious.
“The issue of waste that fell off the back of a truck wasn’t a purposeful breach. The reputation of Eastern Health gets tarnished when this sort of thing happens and we have to be honest.”
She said a number of changes will take place with respect to confidentiality procedures. Coupled with the health authority’s internal auditing process, Ms. Kaminski is hopeful the health authority can prevent this sort of incident from recurring.
“We have random audits that we do; we have limited access for most people. There are small areas that have global access, for example emergency rooms. Where we have those (types) of access we do audits to see if employees have looked at things they shouldn’t have looked at or if they’ve spent time that seems unreasonable looking at a chart.”
Eastern Health has publicly apologized for the breach and said it would begin contacting the 122 people to inform them personally.
‘We will start that process today. We haven’t heard any feedback yet on those patients, but we have had privacy breaches before and patients are always disconcerted. They feel it’s a breach of trust, like ‘Why would this person want to know anything about me?’ and those are things we can’t answer. We have no idea what would prompt people to do that.”
Ms. Kaminiski said there will be no charges laid, as the offence is not criminal, although it does breach both Eastern Health’s internal policies and the provincial Privacy Act.
She said the best way to save face in instances such as this is openness and honesty.
“If we have zero tolerance and we act on that then we hope that’s going to regain that trust and people will feel confident coming back.”
According to the CEO of a local technology company focused on data privacy, approximately 80 per cent of data security breaches come from within.
“We’ve had two major breaches of privacy – we have 21,000 staff within our health authorities; certainly not systemic, not representative of the good quality work that all of our health care providers put in place.” – Susan Sullivan
Kevin Duggan of Camouflage Software Inc. said “There are technologies out there that can mitigate those breaches, but the ability to eliminate them is very hard.”
Mr. Duggan indicated conducting random audits is a useful practice and he suggested database activity monitoring software can be of benefit to organizations like Eastern Health when it comes to tracking the use of medical records.
As an example, he said if a file that had not been updated for over six months was suddenly accessed at a time that did not coincide with a hospital admission, that action could constitute a red flag.
Liberal health critic Andrew Parsons said the issue of confidentiality breaches at Eastern Health is serious, particularly given breaches involving medical records have previously occurred.
“There have been previous breaches of privacy at Eastern Health. You had the issue with the medical waste, and it was all shrugged off by (Health Minister Susan Sullivan) at the time as an isolated incident. But it’s starting to look like a disturbing trend, and Ms. Kaminski has to take full responsibility here for her staff.
“I mean 122 breaches by a single nurse ... why couldn’t they have caught this after five? How did they get this far?”
A spokeswoman for the Newfoundland and Labrador Nurses’ Union confirmed the nurse is a union member. She said the union would not comment on the matter.
Health and Community Services Minister Susan Sullivan said Wednesday “We’re always disappointed and concerned when we hear there have been breaches of confidentiality and breaches of privacy within our health care system. That’s my first reaction.
“My second is to assure the patients of Newfoundland and Labrador that this is something that we take very seriously.”
All health authorities across the province conduct random audits on who is accessing patient records. The province has purchased new auditing software scheduled for installation in the near future and employees also make confidentiality pledges.
Western Health is now working to contact everyone whose file was inappropriately accessed. There is no word on how long that will take.
The office of the Information and Privacy Commissioner has also been notified of the breach.
This is not the first time in recent months a provincial health authority has had to contact patients and tell them their private information has been improperly accessed.
Less than two weeks ago, Eastern Health announced it had fired five employees for improperly accessing patient files.
Despite these breaches, Ms. Sullivan said she stands by the health authorities’ record for patient confidentiality.
“We’ve had two major breaches of privacy – we have 21,000 staff within our health authorities; certainly not systemic, not representative of the good quality work that all of our health care providers put in place.”
St. John’s Telegram & Clarenville Packet