Individual Pleads Guilty for Health Information Breaches

March 22, 2017

A former supervisor of health information management was convicted of accessing individuals’ health information in contravention of the Health Information Act (HIA). The judge issued a $5,000 fine on March 21 for 13 unauthorized accesses of health information (Vermilion Provincial Court docket 150301810P1).

In June 2013, Alberta Health Services (AHS) was notified that Amanda Tripp had visited with her boyfriend in the health records room at the Tofield Health Centre in contravention of internal policy. AHS conducted an audit of Tripp’s accesses in medical information systems, including Alberta Netcare, the provincial electronic health record.

The Office of the Information and Privacy Commissioner (OIPC) received a self-reported breach from AHS in August 2013, which alleged that Tripp had inappropriately accessed patient records. The OIPC also received two complaints from individuals affected by these incidents.

The OIPC’s investigation found that Tripp improperly accessed the health information of 14 individuals on 25 occasions in Alberta Netcare.

As part of her role at the time of the breaches, Tripp was responsible for responding to access to information requests from individuals and RCMP requests for health information about a patient. She had completed a course on information privacy and IT security awareness, and had a working knowledge of HIA.

The OIPC referred its findings to Crown prosecutors at Alberta Justice. Charges were laid in April 2015. Due to a two-year limitation period under HIA, Tripp pleaded guilty to 13 unauthorized accesses.

This was the sixth conviction since HIA was enacted in 2001. There are currently two other matters before the courts where individuals have been charged for allegedly accessing information in contravention of HIA.