Sask. privacy commissioner calls health authority's response to faxed data breaches inadequate - Action News
Home WebMail Friday, November 22, 2024, 12:03 PM | Calgary | -10.5°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Saskatchewan

Sask. privacy commissioner calls health authority's response to faxed data breaches inadequate

Saskatchewan's privacy commissioner is urging the provincial health authority to part ways with fax machines because of numerous privacy breaches involving the dated method of communication.

SHA employees faxed private info to small town office, Parole Board of Canada

The privacy commissioner said he has been calling for the elimination of traditional faxes and for updates on SHA's work to address the systemic faxing problem since February 2022. (junpiiiiiiiiiii/Shutterstock )

Saskatchewan's privacy commissioner is urging the provincial health authority to part ways with fax machines after investigatingnumerous privacy breaches involving the dated method of communication.

The commissioner's office has investigated approximately 42 incidents of misdirected faxes by the Saskatchewan Health Authority (SHA) since 2018.

The SHA did not adequately respond to two recent data breaches where staff sent private information to random recipients rather than the intended health-related professional, according to latest report on the issue from Saskatchewan's information and privacy commissioner Ron Kruzeniski.

Information was sent to the Town of Gravelbourg and the Parole Board of Canada, according to the investigative report from Kruzeniski, dated Nov. 28, 2022.

The privacy commissioner was notified of the data breaches because the organizations reported receiving the information his office.

After investigation, Kruzeniski determined that the SHAdidn't do an adequate job of notifying the affected people, nor did it take adequate steps to prevent further breaches.

He also noted that, since January 2022, he has issued seven investigation reports involving misdirected faxes.Kruzeniski said the SHA does not report all errors to his office, so he doesn't know how many more breaches occurred.

"I have serious concerns about the privacy risks that arise from the ongoing use of faxes to send personal information and personal health information," he wrote.

He has previously recommended that the SHA proactively report all misdirected fax breaches to his office so they can track and report publicly on the progress of "SHA's efforts to address the privacy risks and bring some transparency and accountability to its work to address this problem."

"SHA has stated that it does not agree with this recommendation."

The 2 incidents

The town of Gravelbourg notified thecommissioner's office on June 15, 2022, that it had receivedinformation from the Maple Creek public health office.

The town reportedly destroyed the information and the commissioner's office commenced an investigation.

The SHA did not notify the person whose privacy was breached until the end of August. According to the report, the SHA stated it attempted to call theperson before that, but had no luck.

"SHA should not have waited two months before mailing the written notice," Kruzeniski wrote.

The Parole Board of Canada advised the commissioner's office it received a fax from the Royal University Hospital (RUH) containing personal health information on June 10, 2022. It too deleted the information, which originated from the genomicslab.

RUH notified the affected person 11 days later.

Kruzeniskitook issue with thenoticegiven, saying the SHA did "not include a description of the types of harm that may occur because of the privacy breaches and information about how the affected individuals could change their health services number."

He said this is critical because the person's date of birth and health services number were involved.

The commissioner said he has been calling for the elimination of traditional faxes and for updates on the SHA's work to address the systemic faxing problem since Feb. 2, 2022.

Kruzeniski wrote that Canada's federal, provincial and territorial privacy commissioners and ombudspeoplepassed a resolution in September 2022 titled, "Securing Public Trust in Digital Healthcare."

It calls for the health-care sector to modernize and strengthen privacy when it comes to sharing personal information. This call to action includes phasing out the use of fax machines.

"My hope is that SHA will heed this call to action,"Kruzeniski wrote.

SHA did not immediately respond to CBC's request for comment.