Nova Scotia

Hospital breach highlights need for better reporting of leaks, says watchdog

Nova Scotia's privacy watchdog says the accessing of 707 patient records at Shelburne's Roseway Hospital remains one of the largest health-care information breaches in Canada five years later and highlights the need for mandatory reporting to her office of major leaks.

Only minor breaches, where there's no risk of harm or embarrassment, must be reported to privacy commissioner

N.S. privacy privacy commissioner Catherine Tully has recommended the Justice Department release records into Clayton Cromwell's death at a Dartmouth jail in 2014. (CBC)

Nova Scotia's privacy watchdog says the accessing of 707 patient records at Shelburne's Roseway Hospital remains one of the largest health-care information breaches in Canada five years later and highlights the need for mandatory reporting to her office of major leaks.

A proposed $1-million settlement is scheduled to be heard Thursday in Nova Scotia Supreme Court in Halifax as part of a class action lawsuit filed against the South West District Health Authority following the breach.

If approved, the settlement would compensate hundreds of patients whose personal records were inappropriately viewed by a hospital admissions clerk for more than a year.

Catherine Tully, the province's information and privacy commissioner, said it's unfortunate "taxpayers will pay for these types of mistakes," but she was hopeful a settlement would encourage the strengthening of privacy protection programs.

Under Nova Scotia's Personal Health and Information Act, only minor breaches — where there's no potential for harm or embarrassment to the patient — must be reported to Tully's office.

Major breaches, such as the one at the Shelburne hospital, aren't required to be reported to the office. Only patients must be notified.

Preventing further breaches

Tully said it's important that the independent oversight office is alerted to serious breaches in order to get a handle on their scope, to detect patterns and to recommend strong education, training and prevention strategies.

In the Shelburne case, the clerk was caught snooping around patient files at a work computer by another employee in 2012. An audit of her work activity uncovered 707 patients whose private records had been looked at for more than a year. She was unauthorized to access most of the files and was fired.

A lot is at stake when medical information is leaked, especially in a small town like Shelburne, said Tully.

In addition to personal embarrassment, there could be a hit to reputation, a risk to employment, emotional harm and identity theft.

Complaints to police

She said mandatory reporting would also pave the way for her office to bring complaints forward to police.

Under provincial law, if someone is charged and convicted of wilfully gaining or attempting to gain access to health information in contravention of the act, they could be fined up to $10,000 or jailed for six months.

The RCMP said there was no investigation into the Roseway incident.

Not having mandatory alerts "is a significant weakness in our current access and privacy laws in Nova Scotia," said Tully. 

Act currently under review

CBC News contacted the Department of Health and Wellness about the commissioner's recommendation that reporting of major breaches be mandatory.

Spokesperson Andrew Preeper reiterated that all breaches must be reported to either the privacy commissioner or the patient.

"The legislation requires that [the Personal Health and Information Act] be reviewed after three years. This review is currently taking place," he said.

CBC News also asked the Internal Services Department about how much has been paid out in compensation for privacy leaks by public bodies.

A department spokesperson has been working on the request for two days and said additional time is required. 

ABOUT THE AUTHOR

Elizabeth Chiu is an award-winning reporter in Nova Scotia. She's passionate about engaging with the community to share their stories. Send your story idea to [email protected].