Health Information Breaches Result in Fine to Individual

April 19, 2017

A former registration and staffing clerk pleaded guilty and was fined $3,000 for accessing individuals’ health information in contravention of the Health Information Act (HIA) on March 27 (Athabasca Provincial Court docket 170049480P101).

In 2015, Alberta Health Services (AHS) identified 279 alleged unauthorized accesses of health information in electronic health record systems by Deborah Nimco.

The Office of the Information and Privacy Commissioner (OIPC) received a self-reported breach from AHS. The OIPC also received 10 complaints from individuals affected by these incidents after they had been notified by AHS.

The OIPC’s investigation focused on 28 of the alleged unauthorized accesses of health information. For prosecution, that number was reduced to 21 as seven were barred due to a two-year limitation period under HIA.

The OIPC’s investigation found that many of the affected individuals were people known to Nimco, including co-workers, relatives or friends. It was reported that many, if not all, of the unauthorized accesses were done by Nimco out of curiosity.

During the investigation, Nimco resigned from her position. She had been working at the Athabasca Health Care Centre.

The OIPC referred its findings to Crown prosecutors at Alberta Justice. Charges were laid in January 2017.

This was the seventh conviction since HIA was enacted in 2001, and the second in 2017. There is currently one other matter before the courts where an individual has been charged for allegedly accessing information in contravention of HIA.