Patient records data breach
Patient records data breach | OIPC reveals pharmacy privacy programme failures
The Office of the Information and Privacy Commissioner for Nova Scotia (OIPC) has criticised the province's Department of Health and Wellness and Sobeys National Pharmacy Group (Sobeys), for multiple breaches of patients' Personal Health Information (PHI).
An investigation under the Personal Health Information Act (PHIA) revealed that Sobeys failed to adequately monitor access to PHI, allowing a pharmacist to pry into the private lives of patients.
Leading the OIPC investigation, privacy commissioner Catherine Tully discovered a series of privacy breaches by a pharmacist employed as the manager at a community pharmacy operated by the Sobeys National Pharmacy Group. Tully said:
“Access to this information for purposes not related to providing health care is a serious invasion of an individual’s personal life and an abuse of authorized user access privileges.”
Although the privacy commissioner did not name the pharmacist in her report, the Nova Scotia’s College of Pharmacists has confirmed that Robyn Keddy is the pharmacist in question.
Tully said that Keddy had “snooped” into the electronic personal health information, which includes prescription history and medical conditions, of 46 people over a two year period in order to “satisfy personal curiosity.”
Global News reported:
Beginning in October 2015 Keddy began to access health records while creating 28 false profiles in order to access information of those who were not customers of the pharmacy she worked at.
“The pharmacist created false profiles and falsely claimed that individuals had consented to the creation of the record,” Tully wrote in her report.
Keddy reportedly discussed with fellow employees the inappropriate access she gained and witnesses also reported her discussing personal information over the telephone.
Patient Records data breach - failures & remedies
Evidently, Sobeys failed to conduct regular audits of users' activity, and did not timely identify unauthorized access by authorized users. Moreover, the firm did not correctly identify the scope and nature of a pharmacist accessing patients' personal health information (PHI).
Sobeys also failed to provide notification to 28 individuals of breaches within its system.
Remedial measures to be implemented include:
providing data breach training to corporate leadership and managers;
addressing reported issues, and;
immediately notifying affected individuals.
The OIPC recommended that within 6 months Sobeys should implement the technical capacity to conduct proactive user activity audits, including as a minimum, flagging:
activity not associated with dispensing.
improve quality improvement audits by:
conducting 3 audits per year:
involve a non-pharmacist in at least one of the audits.
question for all staff about identification of any privacy compliance concerns or recommendations; and
regular review of proactive monitoring logs.