Health-care privacy breach numbers ‘truly alarming’

Manitoba hospital workers have breached patients’ privacy more than 1,000 times in the last three years — but how many were disciplined and what consequences they faced is unclear.

Read this article for free:

or

Already have an account? Log in here »

To continue reading, please subscribe:

Monthly Digital Subscription

$19 $0 for the first 4 weeks*

  • Enjoy unlimited reading on winnipegfreepress.com
  • Read the E-Edition, our digital replica newspaper
  • Access News Break, our award-winning app
  • Play interactive puzzles

*No charge for four weeks then billed as $19 plus GST every four weeks. Offer only available to new and qualified returning subscribers. Cancel any time.

Hey there, time traveller!
This article was published 08/11/2022 (777 days ago), so information in it may no longer be current.

Manitoba hospital workers have breached patients’ privacy more than 1,000 times in the last three years — but how many were disciplined and what consequences they faced is unclear.

It’s an issue one ethicist calls “alarming,” saying the public deserves to know more about workers snooping into sensitive files.

Data obtained by the Free Press via freedom of information law reveal Manitoba hospitals recorded about 1,150 privacy breaches between January 2019 and April 2022. Just three health units say they disciplined staff — one each — following breaches.

“I find it truly alarming that there have been 1,000 documented breaches of confidentiality of patient care information,” said Arthur Schafer, founding director of the Centre for Professional and Applied Ethics at the University of Manitoba, noting that amounts to roughly one a day.

The highest number of breaches occurred at Winnipeg’s Health Sciences Centre — with 86 in 2019, 79 in 2020, and 82 in 2021 — though it also has more staff than other hospitals, with about 8,000 workers. (Winnipeg Free Press files)
The highest number of breaches occurred at Winnipeg’s Health Sciences Centre — with 86 in 2019, 79 in 2020, and 82 in 2021 — though it also has more staff than other hospitals, with about 8,000 workers. (Winnipeg Free Press files)

Schafer said health-care privacy breaches are serious matters. Patients need to feel safe disclosing sensitive information without fear it will be accessed inappropriately, he said.

Health authorities must be transparent about the consequences in order to deter others and to reassure such breaches are taken seriously, he added.

“How many times do you have to violate patient confidentiality before you’re fired?”

The statistics analyzed by the Free Press show two hospitals had noticeably higher numbers of breaches compared to other years: Brandon Regional Health Centre (Prairie Mountain Health) recorded 85 breaches in 2021, up from 24 and 21 in 2019 and 2020, respectively; Thompson General Hospital (Northern Health) had 80 in 2020, up from 45 in 2019, before a drop to 24 in 2021.

Prairie Mountain said Brandon’s high number in 2021 was due to misdirected faxes from a transcription system, and it has since taken steps to correct the issue.

Northern Health officials said they couldn’t speculate on reasons for the 2020 jump at the Thompson hospital.

The highest number of breaches occurred at Winnipeg’s Health Sciences Centre — with 86 in 2019, 79 in 2020, and 82 in 2021 — though it also has more staff than other hospitals, with about 8,000 workers.

In its FIPPA response, Northern Health confirmed one former employee was responsible for six of its 273 breaches since 2019. Southern Health said one employee was disciplined in relation to at least one of its 144 privacy breaches. Interlake-Eastern said one employee was responsible for three of its 18 breaches.

When asked what discipline the Northern Health employee faced, spokesperson Twyla Storey said: “Notification of the breach was reported to the (Manitoba) ombudsman.”

Southern Health privacy officer Lee Bassett said disclosing discipline would be “an unreasonable invasion of the individual’s privacy related to their employment history.”

Similarly, Interlake-Eastern spokesperson Lita Savage-Murray cited employee privacy as the reason any discipline wouldn’t be disclosed.

Some health authorities and hospitals confirmed they keep the discipline information in employee files, but also said they don’t formally track such data.

“The records for any discipline faced by the employee who was responsible for the privacy breach does not exist due to system limitations, therefore, access to the remaining records that you requested is refused,” reads the FIPPA response letter from Northern Health, citing disclosure exemptions in the Freedom of Information and Protection of Privacy Act.

Brandon Regional Health Centre recorded 85 breaches in 2021, up from 24 and 21 in 2019 and 2020, respectively. (Brandon Sun files)
Brandon Regional Health Centre recorded 85 breaches in 2021, up from 24 and 21 in 2019 and 2020, respectively. (Brandon Sun files)

The response highlights a “loophole” in access to information legislation, one expert says.

“They’re not saying it doesn’t exist at all — they’re saying it doesn’t exist because we don’t want to compile or retrieve it,” said Kevin Walby, associate professor of criminal justice at the University of Winnipeg and director of the Centre for Access to Information and Justice.

Walby said the sections of the legislation dealing with “records” can be problematic. While it allows public bodies to refuse to disclose information if it isn’t already compiled, it also can encourage governments to keep poor records, allowing them to sidestep disclosures.

“These are the games that bureaucrats play,” he said. “It goes against the spirit of the law and in some cases, it goes against letter, too.”

FIPPA legislation defines a privacy breach as theft, loss, access, use, disclosure, destruction or alteration of personal information.

When a breach occurs, hospitals must notify the person whose information was inappropriately accessed, if “the breach could reasonably be expected to create a real risk of significant harm to the individual.”

Significant harm includes “bodily harm, humiliation, damage to the individual’s reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the individual’s credit rating or report, and damage to or loss of the individual’s property.”

“These are the games that bureaucrats play… It goes against the spirit of the law and in some cases, it goes against letter, too.”–Kevin Walby

As of January, FIPPA law requires the public body to notify the ombudsman in cases expected to involve significant harm.

Health authorities said they determine discipline on a case-by-case basis, which can include firings. It’s unclear how many of the 1,150 privacy breaches since 2019 involved “significant harm.”

In rare cases, criminal prosecutions are also possible.

Last year, Manitoba’s ombudsman charged a privacy officer at a health-care facility with three counts of disclosing personal information under the Personal Health Information Act. The unnamed woman, whose employer was also not identified, was accused of viewing and sharing a man’s personal health information.

When a breach occurs, hospitals must notify the person whose information was inappropriately accessed if the breach could be expected to create a risk of significant harm to the individual. (Mikaela MacKenzie / Winnipeg Free Press files)
When a breach occurs, hospitals must notify the person whose information was inappropriately accessed if the breach could be expected to create a risk of significant harm to the individual. (Mikaela MacKenzie / Winnipeg Free Press files)

The ombudsman confirmed the court matter — just the second snooping-related case to result in charges since the health information law changed in 2013 — concluded this summer. The woman pleaded guilty to accessing a health record without authorization and was fined $5,500.

The charges carry a maximum penalty of $50,000 per violation.

In 2019, the Free Press investigated how hospitals handle cases of snooping, after learning a Grace Hospital employee had quietly been fired four years earlier, after looking into the personal health files of five Winnipeg Jets players.

At the time, a whistleblower told the newspaper dozens of employees were known to snoop but just one faced consequences. The investigation highlighted issues of secrecy and poor tracking systems surrounding privacy breaches.

katrina.clarke@freepress.mb.ca

Health privacy breaches in the news

2011: The provincial ombudsman’s office investigates a privacy breach at CancerCare Manitoba. The probe results in a recommendation snooping in patient files be made explicitly illegal.
December 2013: The law is changed, making it an offence to access patient files without authorization. The maximum fine is set at $50,000.
September 2014: The Winnipeg Regional Health Authority says a doctor’s laptop, containing the personal health information of 322 patients, was stolen from a city office. The laptop was not password-protected, and the MD violated protocol for storing the information on the device. It’s not clear if the physician was disciplined.
November 2014: The ombudsman investigates a breach of protocol in which a provincial health employee accessed the personal health information of at least 13 people. The employee was later fined.
March 2015: The WRHA informs the public it has parted company with a pharmacist at Grace Hospital, after discovering he inappropriately accessed the medical records of 56 patients. Health officials say they discovered the breach during a routine audit.
November 2016: The WRHA says a file containing the personal health information of about 1,000 patients was stolen from a locked office at Health Sciences Centre.
November 2016: A longtime Manitoba Health worker inappropriately accessed close to 200 health records to find addresses to send out birthday cards, the public is told. The department said the employee has “moved on” from her job.
May 2017: A nurse is fined $1,000 by the College of Registered Nurses of Manitoba for providing a volunteer with unauthorized access to medical records. Four nurses were censured by the college for similar breaches a year earlier.
May 2018: The WRHA confirms a nurse scrolled through the private records of about 1,600 patients of the Grace Hospital emergency department. The health authority says the individual accessed the files out of a desire to learn. It confirmed the nurse no longer works for the WRHA.
August 2020: Children’s Disability Services staff accidentally sent an email intended for the Manitoba children’s advocate to about 100 agencies and advocacy groups. The email contained confidential information about nearly 9,000 children with disabilities. Manitoba Families attributed the blunder to “human error.”
August 2021: Shared Health says 90 Manitobans were potential victims of a privacy breach, after an employee inappropriately accessed patient records. The employee was working in the neonatal intensive care unit at HSC. There was no word on what, if any, discipline the employee faced.
October 2021: The ombudsman charges a privacy officer at a Manitoba health-care facility with three counts of disclosing personal information under the Personal Health Information Act. The woman allegedly viewed and shared a man’s info. She pleaded guilty to accessing a health record without authorization (snooping) and was fined $5,500.

Katrina Clarke

Katrina Clarke
Reporter

Katrina Clarke is an investigative reporter with the Winnipeg Free Press.

Our newsroom depends on a growing audience of readers to power our journalism. If you are not a paid reader, please consider becoming a subscriber.

Our newsroom depends on its audience of readers to power our journalism. Thank you for your support.

History

Updated on Thursday, November 10, 2022 8:40 AM CST: Corrects verb

Report Error Submit a Tip