N.S. privacy breach involved people involved in mass shooting | CTV News
Patients involved in N.S. mass shooting among those caught up in major privacy breach
Bill Dicks
Bill Dicks
CTV News Atlantic Current Affairs Producer
Follow | Contact
Updated Feb. 8, 2023 7:50 p.m. GMT
Published Feb. 8, 2023 7:40 p.m. GMT
Share
facebooktwitterreddit More share options
Nova Scotia Health is under the microscope after eight employees were found snooping into medical records.
The privacy breaches involve the electronic health records of people associated with the April 2020 mass shooting in Nova Scotia, among others.
The Office of the Information and Privacy Commissioner says the discoveries were made by Nova Scotia Health after it proactively monitored employees’ access to the records of those involved in or related to the mass shooting.
The health authority did publicly admit to a privacy breach back on Aug. 4, 2020, but did not give specifics, including how it involved those connected to the shootings in Portapique, N.S.
RELATED STORIES
Reports slam province for failing to protect information in N.S. privacy breach
Woman admits to reading confidential medical files
N.B. woman mystified after confidential info of four other patients is mailed to her house
Disciplinary action taken over privacy breach at New Glasgow hospital
High probability files downloaded in Nova Scotia privacy breach contained
Thousands of Health PEI patients, staff affected by privacy breach after laptop stolen
Officials caught 'snooping' on health records, N.S. privacy commissioner says
Employee dismissed after “significant privacy breach” at New Brunswick hospital
RELATED LINKS
Read the commissioner's full report
As part of its investigation, Nova Scotia Health conducted additional audits of the employees’ access to electronic health records, which revealed even more snooping, going back for years.
Nova Scotia Health voluntarily reported the breaches to the Office of the Information and Privacy Commissioner on June 15, 2020.
In a news release Wednesday, the privacy commissioner said the employees also looked up friends, colleagues, and acquaintances. In total, Nova Scotia Health’s investigation uncovered more than 1,200 privacy breaches affecting 270 people.
Privacy Commissioner Tricia Ralph told CTV News charges aren’t being considered because too much time has passed between when the employees were caught and the completion of the investigation.
Current law provides a 12-month window for prosecution.
Had charges been laid for the privacy breaches, they would fall under Nova Scotia’s Personal Health Information Act (PHIA).
Ralph also said there was no evidence to suggest the information was used for anything nefarious. Everyone whose files were compromised was notified.
In an emailed response Wednesday to questions from CTV News, Nova Scotia Health said:
“We apologize to each impacted patient. This breach added further unnecessary harm to the families of those who lost loved ones in April 2020. We deeply regret that this breach took place.”
In response to the snooping, Nova Scotia Health terminated the employment of some of the workers, while others received verbal reprimands and suspensions.
Some of the job classifications involved in these incidents included a booking and registration clerk, a nurse practitioner, and a secretary at an outpatient clinic.
CALL FOR NOVA SCOTIA HEALTH TO IMPROVE PRACTICES
In light of the revelations, Ralph has called on Nova Scotia Health to improve practices to prevent employees from snooping into personal information of its patients.
She gave 12 recommendations that she hopes Nova Scotia Health will implement over the next year, including implementing a user access request and approval process for its electronic information systems.
The commissioner does feel many steps taken by Nova Scotia Health were reasonable.
For example, she said, had it not proactively monitored employee access to electronic health information systems, the privacy breaches would never have been discovered.
However, Ralph said in the release, while Nova Scotia Health does have privacy-relevant policies and protocols, they are at times outdated, unclear, and in many cases, not being followed.
She also noted that policies, training and penalties are not always enough to deter some employees from snooping, adding the temptation to snoop is irresistible for some.
According to the commissioner, Nova Scotia Health is considering the report and has indicated that it intends to accept most of the recommendations.
Nova Scotia Health will have 30 days to formally decide whether it will follow Ralph’s recommendations.
These instances of Nova Scotia Health employees being caught snooping aren’t unique.
In 2018, an investigation uncovered unauthorized access of 335 personal health records by six different staff members at multiple work sites.
At the time, then-commissioner Catherine Tully said an investigation revealed a "dangerous and insidious culture of entitlement" to viewing records at the Nova Scotia Health Authority, with unauthorized access in some cases taking place over a long period of time.
Bill Dicks
Bill Dicks
CTV News Atlantic Current Affairs Producer
Follow | Contact
Updated Feb. 8, 2023 7:50 p.m. GMT
Published Feb. 8, 2023 7:40 p.m. GMT
Share
facebooktwitterreddit More share options
Nova Scotia Health is under the microscope after eight employees were found snooping into medical records.
The privacy breaches involve the electronic health records of people associated with the April 2020 mass shooting in Nova Scotia, among others.
The Office of the Information and Privacy Commissioner says the discoveries were made by Nova Scotia Health after it proactively monitored employees’ access to the records of those involved in or related to the mass shooting.
The health authority did publicly admit to a privacy breach back on Aug. 4, 2020, but did not give specifics, including how it involved those connected to the shootings in Portapique, N.S.
RELATED STORIES
Reports slam province for failing to protect information in N.S. privacy breach
Woman admits to reading confidential medical files
N.B. woman mystified after confidential info of four other patients is mailed to her house
Disciplinary action taken over privacy breach at New Glasgow hospital
High probability files downloaded in Nova Scotia privacy breach contained
Thousands of Health PEI patients, staff affected by privacy breach after laptop stolen
Officials caught 'snooping' on health records, N.S. privacy commissioner says
Employee dismissed after “significant privacy breach” at New Brunswick hospital
RELATED LINKS
Read the commissioner's full report
As part of its investigation, Nova Scotia Health conducted additional audits of the employees’ access to electronic health records, which revealed even more snooping, going back for years.
Nova Scotia Health voluntarily reported the breaches to the Office of the Information and Privacy Commissioner on June 15, 2020.
In a news release Wednesday, the privacy commissioner said the employees also looked up friends, colleagues, and acquaintances. In total, Nova Scotia Health’s investigation uncovered more than 1,200 privacy breaches affecting 270 people.
Privacy Commissioner Tricia Ralph told CTV News charges aren’t being considered because too much time has passed between when the employees were caught and the completion of the investigation.
Current law provides a 12-month window for prosecution.
Had charges been laid for the privacy breaches, they would fall under Nova Scotia’s Personal Health Information Act (PHIA).
Ralph also said there was no evidence to suggest the information was used for anything nefarious. Everyone whose files were compromised was notified.
In an emailed response Wednesday to questions from CTV News, Nova Scotia Health said:
“We apologize to each impacted patient. This breach added further unnecessary harm to the families of those who lost loved ones in April 2020. We deeply regret that this breach took place.”
In response to the snooping, Nova Scotia Health terminated the employment of some of the workers, while others received verbal reprimands and suspensions.
Some of the job classifications involved in these incidents included a booking and registration clerk, a nurse practitioner, and a secretary at an outpatient clinic.
CALL FOR NOVA SCOTIA HEALTH TO IMPROVE PRACTICES
In light of the revelations, Ralph has called on Nova Scotia Health to improve practices to prevent employees from snooping into personal information of its patients.
She gave 12 recommendations that she hopes Nova Scotia Health will implement over the next year, including implementing a user access request and approval process for its electronic information systems.
The commissioner does feel many steps taken by Nova Scotia Health were reasonable.
For example, she said, had it not proactively monitored employee access to electronic health information systems, the privacy breaches would never have been discovered.
However, Ralph said in the release, while Nova Scotia Health does have privacy-relevant policies and protocols, they are at times outdated, unclear, and in many cases, not being followed.
She also noted that policies, training and penalties are not always enough to deter some employees from snooping, adding the temptation to snoop is irresistible for some.
According to the commissioner, Nova Scotia Health is considering the report and has indicated that it intends to accept most of the recommendations.
Nova Scotia Health will have 30 days to formally decide whether it will follow Ralph’s recommendations.
These instances of Nova Scotia Health employees being caught snooping aren’t unique.
In 2018, an investigation uncovered unauthorized access of 335 personal health records by six different staff members at multiple work sites.
At the time, then-commissioner Catherine Tully said an investigation revealed a "dangerous and insidious culture of entitlement" to viewing records at the Nova Scotia Health Authority, with unauthorized access in some cases taking place over a long period of time.