AHS Failed to Properly Protect Health Information

October 17, 2018
Former employee improperly accessed health information of more than 12,000 individuals

An investigation by the Office of the Information and Privacy Commissioner (OIPC) has found that a former employee of Alberta Health Services (AHS) accessed and used health information in contravention of the Health Information Act (HIA). The investigation also determined that AHS failed to ensure the employee was aware of and adhered to safeguards to protect health information.

On September 26, 2016, AHS issued a news release to inform the public about a former employee who had improperly accessed the health information of more than 1,309 individuals between 2004 to 2015 in Alberta Netcare, the provincial electronic health record. An additional 11,539 individuals had their demographic information viewed by the former employee in Netcare Person Directory, a subsystem of the provincial electronic health record. The employee worked at Alberta Hospital Edmonton. The inappropriate accesses were discovered after an audit of the employee’s accesses in Netcare and Netcare Person Directory.

The investigation found that concerns about the employee’s improper use of Netcare had been raised on more than one occasion by coworkers, between March 2014 to July 2015. On the advice of the AHS Privacy Office, a coworker obtained a Netcare Audit Log of accesses to their own health information, which showed the employee accessed the coworker’s health information. AHS subsequently reviewed the employee’s accesses and terminated her employment.

After AHS notified individuals affected by this breach, the OIPC received a total of 30 written complaints from affected individuals. These individuals were generally concerned that their health information had been accessed for unauthorized purposes, and wanted to know why their information had been accessed. A number of complainants also expressed concern that the employee’s actions went undetected for such a long period of time.

Given the number of affected individuals in this case, the number of complaints submitted to the OIPC and media coverage of this matter, Commissioner Jill Clayton opened this investigation to review whether the employee’s accesses were in compliance with HIA and whether AHS took reasonable steps to safeguard health information.

“As was the case with an investigation report my office issued last year into AHS employees who improperly accessed health information of a woman and her daughter at South Health Campus in Calgary, this investigation highlights a significant breach of privacy where the focus of the investigation shifted from the employee to AHS’ implementation of safeguards,” said Clayton. “This report should be a wake-up call for anyone responsible for protecting Albertans’ health information, alerting them to the potential consequences if they fail in their duty to implement and maintain reasonable safeguards to protect health information.”

On August 31, 2018, amendments to HIA came into force that introduce a fine of not less than $200,000 for a person who fails to take reasonable steps in accordance with HIA regulations to maintain safeguards to protect against reasonably anticipated threats to the security of health information (sections 107(1.1)(a) and 107(7)).

The investigation resulted in four recommendations to AHS. During the course of the investigation, AHS took several actions, such as focusing on HIA awareness training for employees and conducting an internal audit of auditing processes.