Patient records accessed in second major privacy breach for Heartland

web-heartlandBy Joel van der Veen

ROSETOWN — The confidential records of around 900 patients were inappropriately accessed by a former employee of Heartland Health Region, administrators revealed last week.

The activity, which took place over a 14-month period, represents the region’s second major privacy breach within a two-year span.

Gayle Riendeau, the region’s vice-president of health services, told the Leader on Thursday that the investigation into the breach is ongoing.

She said the two incidents represent “two different situations under different types of circumstances and different types of systems,” but added that the region may be able to build on what was learned the last time around.

“We are expressing our sincere apologies to those affected,” she said. “Any clients that were affected are being notified.”

Letters have been sent by mail to all affected patients, informing them of the breach and outlining the region’s response.

Riendeau said an alleged breach of privacy was reported to staff, which was immediately followed up with a “thorough investigation” into the allegations.

According to a news release issued by Heartland, the employee accessed the patients’ personal health information via an electronic medical record system, which is considered a breach of privacy under The Health Information Protection Act.

The employee has since been terminated, and their professional association has been duly notified.

The region also stated that the office of the Saskatchewan Information and Privacy Commissioner, the Ministry of Health and eHealth Saskatchewan had each been informed of the incident.

Riendeau said the region would not identify where the offending employee was based or where the breach occurred.

In August 2013, an employee at the region viewed the personal records of 883 patients using the Picture Archiving and Communication System (PACS).

That staff member was disciplined for their actions; later that year, CEO and president Greg Cummings summarized the offence committed as “snooping” and said the actions had been addressed “accordingly.”

Riendeau said such violations of privacy are “a significant issue for us, and something we take very seriously,” adding, “Really, one is too many.”

The news release issued by Heartland listed several corrective actions being taken, noting that administrators are “confident that the steps underway will reduce the risk of such an incident occuring in the future.”

The actions being undertaken included the following:

  • Reviewing and limiting access to ensure the security and safety of personal health information;
  • Reviewing internal approval and authorization processes when new electronic systems are implemented;
  • Reviewing existing provincial privacy impact assessments and/or implementing regional privacy impact assessments as necessary;
  • Developing a process to regularly audit and monitor all electronic systems;
  • Reviewing staff education related to confidentiality and the privacy and protection of personal health information.

Clarification: In a followup phone call on Friday, Riendeau indicated the terminated employee had worked for Heartland as a combined lab/x-ray technician (CLXT).