Sask. Health Authority removes Estevan-area employee from duty after 880 privacy violations - Action News
Home WebMail Saturday, November 23, 2024, 06:58 AM | Calgary | -12.2°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Saskatchewan

Sask. Health Authority removes Estevan-area employee from duty after 880 privacy violations

An employee with the Saskatchewan Health Authority is not working after the person was found to have violated the privacy of 880 other people in the Estevan area.

Privacy commissioner Ron Kruzeniski recommended the employee be fired

There were 880 breaches between June 2010 and May 2017. The health authority said the employee is not working and they're considering their options, including terminating their employment. (Getty Images)

The Saskatchewan Information and Privacy Commissioner is recommending that the Saskatchewan Health Authority fire an employee who improperly accessed the private information of 880 people in the Estevanarea.

A spokesperson for the SHA said in an email that the employee is not currently working and the Authority is reviewing its options, including terminating their employment.

The breaches were made using Procura,an electronic medical record system used throughout the province, between June 2010 and May 2017, according to RonKruzeniski's report on the matter.

Procura is also very thorough, containing information on people such asname, contact information, health services number, physician name, records of visits with physicians, consultation reports, investigation reports, diagnostic results, bills and correspondence.

The information was "need-to-know" and the employee did not need to know. Suspicions were raised when the employee discharged someone using Procura, which was not a function of their job.

The employee was interviewed by health region authorities and hadtheir duties outlined, but went on to improperly access information two other times after the meetings, the ruling says.

Authorities were made aware of a possible breach that May. Everyone whose privacy had been breached was notified, except for the 266 peoplewho had died.

Although there was no privacy officer working within the Sun County Health Region, as it was known before it was amalgamated into the SHA,Kruzeniskirecommended that SHAdevelop a policy to ensure that a privacy officer is notified of a possible breach as soon as it is suspected.

He also recommended that the health authority notify his office of breaches sooner, asKruzeniski's office was notified eight months after the breach was discovered.

Lastly, he recommended that the SHArefer the matter to the Ministry of Justice for possible legal action.