A Saskatchewan registered nurse at the Yorkton Regional Health Centre was caught snooping through the personal health records of 70 people on 210 occasions, the privacy commissioner reports.
Information and Privacy Commissioner Ronald J. Kruzeniski says the nurse accessed the information through the Sunrise Clinical Manager electronic health record between Nov. 1, 2023, and May 3, 2024. They were fired later that year as part of disciplinary action taken.
The report, issued March 31, says the nurse had access to peoples’ addresses, phone numbers, birthdays, genders and health services numbers, as well as a range of medical documents.
According to the report, the nurse initially alleged that other employees may have accessed the information, but the Saskatchewan Health Authority (SHA) found no other employee worked all the hours that matched the times of the privacy breaches.
The nurse also alleged that in some cases they had accessed patients’ historical information as part of clinic processes for registering them as new patients.
However, the SHA said that’s not part of the clinic’s process, and there is no need to view a patients’ history in the electronic medical record because all information is listed on an order.
The nurse also claimed that in some cases they looked at the personal information of patients in their care for the purposes of providing care. The SHA found that several of those patients were no longer in the care of the nurse, had died, or were not patients needing the type of care the nurse could provide.
The nurse later admitted they viewed of some people’s records out of curiosity.
Kruzeniski also ruled the SHA did not take proper steps to notify his office or the 70 people affected by the privacy breaches — and that it failed to suspend the nurse’s access to the records during its internal investigation.
Kruzeniski recommended the SHA re-issue notification letters that include copies of excerpts from Sunrise Clinical Manager that would apply to each affected person, showing what records were accessed on which days, and the name of the “snooper.”
He said that based on information provided by the SHA, the “snooper” should have known their actions would contravene the training they received, along with policies and procedures they were made aware of.
The commissioner offered a number of recommendations to prevent future snooping incidents. One of those was to name the snooper to staff and the disciplinary actions taken to prevent future similar incidents.
Another recommendation was that, in the future, the SHA forward investigation files to public prosecutors at the Ministry of Justice and Attorney General to allow them to consider whether an offence has occurred, and if charges should be laid under HIPA or any other statute.
HIPA stands for the Health Information Protection Act and covers the collection, storage, use and disclosure of personal health information, access to personal health information and the privacy of patients, according to the office of the privacy commissioner.
The SHA notified the privacy commissioner of the incidents on Nov. 18, 2024.
Kruzeniski’s full report can be read here.
