Hospital breach highlights need for better reporting of leaks, says watchdog - Action News
Home WebMail Sunday, November 24, 2024, 12:45 AM | Calgary | -12.4°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Nova Scotia

Hospital breach highlights need for better reporting of leaks, says watchdog

Nova Scotia's privacy watchdog says the accessing of 707 patient records at Shelburne's Roseway Hospital remains one of the largest health-care information breaches in Canada five years later and highlights the need for mandatory reporting to her office of major leaks.

Only minor breaches, where there's no risk of harm or embarrassment, must be reported to privacy commissioner

N.S. privacy privacy commissioner Catherine Tully has recommended the Justice Department release records into Clayton Cromwell's death at a Dartmouth jail in 2014. (CBC)

Nova Scotia's privacy watchdog saysthe accessing of 707 patient records at Shelburne'sRosewayHospital remains one of thelargest health-care information breaches in Canada five years later and highlights the need for mandatory reporting to her office of major leaks.

A proposed$1-million settlement is scheduled to be heard Thursday in Nova Scotia Supreme Court in Halifax as part ofa class action lawsuit filed against the South West District Health Authority following the breach.

If approved, the settlement would compensatehundreds of patients whose personal records were inappropriately viewed by a hospital admissions clerk for more than a year.

Catherine Tully, the province's information and privacy commissioner, said it's unfortunate "taxpayers will pay for these types of mistakes," but she was hopeful asettlement would encourage the strengthening ofprivacy protection programs.

Under Nova Scotia's Personal Health and Information Act, only minor breaches where there's no potential for harm or embarrassment to the patient must be reported to Tully'soffice.

Major breaches, such asthe one at theShelburne hospital, aren't required to be reported to the office. Only patients must benotified.

Preventing further breaches

Tully said it's important that the independent oversight office is alerted to serious breaches in order to get a handle on their scope, to detect patternsand to recommend strong education, training and prevention strategies.

In the Shelburne case, the clerk was caught snooping around patient files at a work computer by another employee in 2012. An audit of her work activity uncovered 707patients whose private records had been looked at for more than a year. She was unauthorized to access most of the files and was fired.

A lot is at stake when medical information is leaked, especiallyin a small town like Shelburne, said Tully.

Inaddition to personal embarrassment,there could bea hit to reputation, a risk to employment, emotional harmand identity theft.

Complaints to police

She said mandatory reporting would also pave the way for her office to bring complaints forward to police.

Under provincial law,if someone is charged and convicted of wilfully gaining or attempting to gain access to health information in contravention of the act, they could be fined up to $10,000 or jailed for six months.

TheRCMPsaid there was no investigation into theRosewayincident.

Not havingmandatory alerts"is a significant weakness in our current access and privacy laws in Nova Scotia," said Tully.

Act currently under review

CBC News contacted the Department of Health and Wellness about the commissioner's recommendation that reporting of majorbreaches be mandatory.

Spokesperson Andrew Preeperreiterated that all breaches must be reported to either the privacy commissioner or the patient.

"The legislation requires that [the Personal Health and Information Act]be reviewed after threeyears. This review is currently taking place," he said.

CBC News also asked the Internal Services Department about how much has been paid out in compensation for privacy leaks by public bodies.

Adepartment spokesperson has been working on the request for two days and said additional time is required.