Skip to main content

Patients involved in N.S. mass shooting among those caught up in major privacy breach

Share

Nova Scotia Health is under the microscope after eight employees were found snooping into medical records.

The privacy breaches involve the electronic health records of people associated with the April 2020 mass shooting in Nova Scotia, among others.

The Office of the Information and Privacy Commissioner says the discoveries were made by Nova Scotia Health after it proactively monitored employees’ access to the records of those involved in or related to the mass shooting.

The health authority did publicly admit to a privacy breach back on Aug. 4, 2020, but did not give specifics, including how it involved those connected to the shootings in Portapique, N.S.

As part of its investigation, Nova Scotia Health conducted additional audits of the employees’ access to electronic health records, which revealed even more snooping, going back for years.

Nova Scotia Health voluntarily reported the breaches to the Office of the Information and Privacy Commissioner on June 15, 2020.

In a news release Wednesday, the privacy commissioner said the employees also looked up friends, colleagues, and acquaintances. In total, Nova Scotia Health’s investigation uncovered more than 1,200 privacy breaches affecting 270 people.

Privacy Commissioner Tricia Ralph told CTV News charges aren’t being considered because too much time has passed between when the employees were caught and the completion of the investigation.

Current law provides a 12-month window for prosecution.

Had charges been laid for the privacy breaches, they would fall under Nova Scotia’s Personal Health Information Act (PHIA).

Ralph also said there was no evidence to suggest the information was used for anything nefarious. Everyone whose files were compromised was notified.

In an emailed response Wednesday to questions from CTV News, Nova Scotia Health said:

“We apologize to each impacted patient. This breach added further unnecessary harm to the families of those who lost loved ones in April 2020. We deeply regret that this breach took place.”

In response to the snooping, Nova Scotia Health terminated the employment of some of the workers, while others received verbal reprimands and suspensions.

Some of the job classifications involved in these incidents included a booking and registration clerk, a nurse practitioner, and a secretary at an outpatient clinic.

CALL FOR NOVA SCOTIA HEALTH TO IMPROVE PRACTICES

In light of the revelations, Ralph has called on Nova Scotia Health to improve practices to prevent employees from snooping into personal information of its patients.

She gave 12 recommendations that she hopes Nova Scotia Health will implement over the next year, including implementing a user access request and approval process for its electronic information systems.

The commissioner does feel many steps taken by Nova Scotia Health were reasonable.

For example, she said, had it not proactively monitored employee access to electronic health information systems, the privacy breaches would never have been discovered.

However, Ralph said in the release, while Nova Scotia Health does have privacy-relevant policies and protocols, they are at times outdated, unclear, and in many cases, not being followed.

She also noted that policies, training and penalties are not always enough to deter some employees from snooping, adding the temptation to snoop is irresistible for some.

According to the commissioner, Nova Scotia Health is considering the report and has indicated that it intends to accept most of the recommendations.

Nova Scotia Health will have 30 days to formally decide whether it will follow Ralph’s recommendations.

These instances of Nova Scotia Health employees being caught snooping aren’t unique.

In 2018, an investigation uncovered unauthorized access of 335 personal health records by six different staff members at multiple work sites.

At the time, then-commissioner Catherine Tully said an investigation revealed a "dangerous and insidious culture of entitlement" to viewing records at the Nova Scotia Health Authority, with unauthorized access in some cases taking place over a long period of time.

CTVNews.ca Top Stories

Hertz CEO out following electric car 'horror show'

The company, which announced in January it was selling 20,000 of the electric vehicles in its fleet, or about a third of the EVs it owned, is now replacing the CEO who helped build up that fleet, giving it the company’s fifth boss in just four years.

Stay Connected