The Heartland Health Region is in the process of trying to come up with a set of recommendations to address a serious privacy breach where an employee inappropriately viewed the personal health information of 883 patients.
Greg Cummings, CEO and president of Heartland Health Region, said an investigation into the incident is still ongoing and they do not want to jump to a conclusion before the whole analysis is completed. He said the region needs to take action to understand what happened and why it happened, so from a “root cause analysis” they can decide what actions are needed in order to prevent it from occurring again.
“It obviously indicates that there’s a weakness in our ability to audit these kinds of actions by employees in real time,” said Cummings. “We clearly need to tighten up our auditing and security measures, but the problem even with that is that we know that’s something that happens after the fact. It’s too late by the time you’ve caught somebody via an audit, so there will be other things that we will need to do to ensure that employees are well aware of their responsibilities.”
Cummings said the region’s investigation first involved a look into the affected system to see all of the people who accessed the system and the number of times a health record has been viewed. He said then through a closer examination they were able to discover whether or not the person who was looking at the information had a legitimate reason for doing so.
“A legitimate reason would be that the care provider is part of the team that is working with the particular patient and was looking at the record in order to have the right information to be able to deliver appropriate and safe care,” he said. “In this case we found that the employee looked at a lot of information that the employee had no legitimate reason to be viewing.”
The information viewed was electronic records related to the diagnostic imaging (X-rays) department and the person who viewed the information was an employee in this department at this time. Heartland Health Region’s X-rays in most of their sites are done digitally and sent electronically and employees access the information through an electronic Picture Archiving and Communication System (PACS).
Personal information collected by PACS includes a patient’s name, address, phone number, date of birth, health services number as well as information about the type of diagnostic imaging exam, clinical results and the physician’s name.
Cummings said what the offence committed comes down to is “snooping” and they do not know what the employee’s motivation was. He said the region has since dealt with the employee “accordingly” for their actions.
To read more please see the November 4 print edition of The Davidson Leader.