Health-care privacy breach numbers ‘truly alarming’ By: Katrina Clarke Posted: 7:00 PM CST Wednesday, Nov. 9, 2022 Last Modified: 8:40 AM CST Thursday, Nov. 10, 2022 Updates

Hey there, time traveller!
This article was published 08/11/2022 (680 days ago), so information in it may no longer be current.

Manitoba hospital workers have breached patients’ privacy more than 1,000 times in the last three years — but how many were disciplined and what consequences they faced is unclear.

It’s an issue one ethicist calls “alarming,” saying the public deserves to know more about workers snooping into sensitive files.

Data obtained by the Free Press via freedom of information law reveal Manitoba hospitals recorded about 1,150 privacy breaches between January 2019 and April 2022. Just three health units say they disciplined staff — one each — following breaches.

“I find it truly alarming that there have been 1,000 documented breaches of confidentiality of patient care information,” said Arthur Schafer, founding director of the Centre for Professional and Applied Ethics at the University of Manitoba, noting that amounts to roughly one a day.

Schafer said health-care privacy breaches are serious matters. Patients need to feel safe disclosing sensitive information without fear it will be accessed inappropriately, he said.

Health authorities must be transparent about the consequences in order to deter others and to reassure such breaches are taken seriously, he added.

“How many times do you have to violate patient confidentiality before you’re fired?”

The statistics analyzed by the Free Press show two hospitals had noticeably higher numbers of breaches compared to other years: Brandon Regional Health Centre (Prairie Mountain Health) recorded 85 breaches in 2021, up from 24 and 21 in 2019 and 2020, respectively; Thompson General Hospital (Northern Health) had 80 in 2020, up from 45 in 2019, before a drop to 24 in 2021.

Prairie Mountain said Brandon’s high number in 2021 was due to misdirected faxes from a transcription system, and it has since taken steps to correct the issue.

Northern Health officials said they couldn’t speculate on reasons for the 2020 jump at the Thompson hospital.

The highest number of breaches occurred at Winnipeg’s Health Sciences Centre — with 86 in 2019, 79 in 2020, and 82 in 2021 — though it also has more staff than other hospitals, with about 8,000 workers.

In its FIPPA response, Northern Health confirmed one former employee was responsible for six of its 273 breaches since 2019. Southern Health said one employee was disciplined in relation to at least one of its 144 privacy breaches. Interlake-Eastern said one employee was responsible for three of its 18 breaches.

When asked what discipline the Northern Health employee faced, spokesperson Twyla Storey said: “Notification of the breach was reported to the (Manitoba) ombudsman.”

Southern Health privacy officer Lee Bassett said disclosing discipline would be “an unreasonable invasion of the individual’s privacy related to their employment history.”

Similarly, Interlake-Eastern spokesperson Lita Savage-Murray cited employee privacy as the reason any discipline wouldn’t be disclosed.

Some health authorities and hospitals confirmed they keep the discipline information in employee files, but also said they don’t formally track such data.

“The records for any discipline faced by the employee who was responsible for the privacy breach does not exist due to system limitations, therefore, access to the remaining records that you requested is refused,” reads the FIPPA response letter from Northern Health, citing disclosure exemptions in the Freedom of Information and Protection of Privacy Act.

The response highlights a “loophole” in access to information legislation, one expert says.

“They’re not saying it doesn’t exist at all — they’re saying it doesn’t exist because we don’t want to compile or retrieve it,” said Kevin Walby, associate professor of criminal justice at the University of Winnipeg and director of the Centre for Access to Information and Justice.

Walby said the sections of the legislation dealing with “records” can be problematic. While it allows public bodies to refuse to disclose information if it isn’t already compiled, it also can encourage governments to keep poor records, allowing them to sidestep disclosures.

“These are the games that bureaucrats play,” he said. “It goes against the spirit of the law and in some cases, it goes against letter, too.”

FIPPA legislation defines a privacy breach as theft, loss, access, use, disclosure, destruction or alteration of personal information.

When a breach occurs, hospitals must notify the person whose information was inappropriately accessed, if “the breach could reasonably be expected to create a real risk of significant harm to the individual.”

Significant harm includes “bodily harm, humiliation, damage to the individual’s reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the individual’s credit rating or report, and damage to or loss of the individual’s property.”

“These are the games that bureaucrats play… It goes against the spirit of the law and in some cases, it goes against letter, too.”–Kevin Walby

As of January, FIPPA law requires the public body to notify the ombudsman in cases expected to involve significant harm.

Health authorities said they determine discipline on a case-by-case basis, which can include firings. It’s unclear how many of the 1,150 privacy breaches since 2019 involved “significant harm.”

In rare cases, criminal prosecutions are also possible.

Last year, Manitoba’s ombudsman charged a privacy officer at a health-care facility with three counts of disclosing personal information under the Personal Health Information Act. The unnamed woman, whose employer was also not identified, was accused of viewing and sharing a man’s personal health information.

The ombudsman confirmed the court matter — just the second snooping-related case to result in charges since the health information law changed in 2013 — concluded this summer. The woman pleaded guilty to accessing a health record without authorization and was fined $5,500.

The charges carry a maximum penalty of $50,000 per violation.

In 2019, the Free Press investigated how hospitals handle cases of snooping, after learning a Grace Hospital employee had quietly been fired four years earlier, after looking into the personal health files of five Winnipeg Jets players.

At the time, a whistleblower told the newspaper dozens of employees were known to snoop but just one faced consequences. The investigation highlighted issues of secrecy and poor tracking systems surrounding privacy breaches.

katrina.clarke@freepress.mb.ca