N.W.T.'s medical record system under the microscope after 2 reported cases of snooping
The privacy commissioner issues reports on cases in which an investigation yields evidence of intentional and unauthorized access to private health information, commonly known as "snooping."
This year, commissioner Andrew Fox publicly reported two distinct cases of snooping in electronic medical records. They both involved employees of the Northwest Territories Health and Social Services Authority (NTHSSA).
Taken together, the cases illustrate vulnerabilities in the NTHSSA's electronic medical record (EMR) system. According to at least one expert, the EMR system doesn't appear to meet the highest ethical standards for patient privacy.
An EMR is a digital version of a patient's medical history. It can include things like test results, X-rays and prescriptions.
One of the cases published online this year by the privacy commissioner involves an instance in 2021 of an administrative clerk with NTHSSA deliberately opened a person's EMR and relayed some of their private health information to another person. The clerk did this "without consent and without lawful authority," wrote Fox.
The clerk admitted to wrongdoing during an NTHSSA investigation, and was fired some months later.
Fox called this a "particularly egregious, intentional privacy breach." He said the health authority's response was appropriate, but that the agency should have revoked the employee's EMR access as soon as it confirmed the breach.
The health authority uses "role-based access" to the EMR system, meaning an employee's access is limited to what is necessary for their role.
Fox noted that on occasions when the clerk was assigned to other roles, the NTHSSA didn't restrict her EMR access in accordance with those roles.
'I felt incredibly violated'
The second case published this year involved two NTHSSA employees who, on multiple occasions, snooped in the medical records of a patient who wasn't in their care. The employees were siblings and the patient had previously been in a relationship with one of them.
It wasn't until the patient filed a "record of activity" request in July of 2023 — a report on who had looked at her EMR — that she learned of the breach.
"I was disgusted. I felt incredibly violated," said Maryse Gravelle, the patient who had her medical records snooped.
"Our financial institutions have software in place to identify when there's a fraudulent charge possibly being made on our accounts," she said. "How can a banking institution have those sorts of safeguards in place, but there's no alerts on hospital software, on emergency medical records, to alert when there's a suspicious action in somebody's chart?"
In his report, the privacy commissioner said the siblings' jobs granted them "broad access" to the EMR system. Their motivation for opening the patient's records seems to have been "curiosity proceeding from a personal relationship."
Fox called the privacy breach a "deliberate and serious breach of trust," and said it caused the patient "significant distress."
Both siblings admitted to misconduct, were suspended without pay for 10 days and had their EMR access revoked for at least 18 months.
The health authority is required by law to notify a patient about a breach of their medical records "as soon as reasonably possible."
In a statement, NTHSSA CEO Kim Riles said the health authority must investigate all reports of privacy breaches, and upon completion of an investigation, notify the affected people.
"At times, the investigation process can take a significant amount of time," wrote Riles. She added the NTHSSA is reviewing its practices and "has committed to ensuring the notification occurs as soon as a privacy breach is confirmed, regardless of whether a full investigation has been completed."
She said the agency accepted the privacy commissioner's recommendations and continues to improve and update mandatory training.
Auditing EMRs 'a real challenge'
Livia Kurinska-Hrdlickova is the territory's chief health privacy officer. She said routine audits check for suspicious activity in the EMR system, which if found, is flagged to the health authority.
But Fox told CBC that auditing EMRs for instances of unauthorized access is "a real challenge."
"If you looked at some random sample of employees looking at health records, there's really nothing that you could infer from the fact that a lab assistant looked at someone's medical record," he said. "You couldn't tell whether that was authorized or not."
Neither of the two snooping cases Fox published this year were flagged by a routine audit.
Kurinska-Hrdlickova explained that an employee with role-based access to the EMR system has gone through mandatory privacy training, and taken an oath of confidentiality. They need a patient's first and last name, and their date of birth or health-care number, to open their medical record.
The system also relies on trust that employees with access will only use the EMR system when it's required for their work on a specific case.
"Any system across Canada is not perfect," said Kurinska-Hrdlickova. "You never go to a zero risk, right? Because that's impossible."
EMR system not structured 'according to ethics': expert
As Fox noted, NTHSSA extended trust to the employees with EMR access, and the employees breached that trust.
Eike Kluge, a University of Victoria biomedical ethics professor, said in the case of the siblings, the EMR system shouldn't have allowed them to open Gravelle's record in the first place.
"There should be a challenge. Justify who you are and what right you have to access that record," he said.
Kluge said the system shouldn't just flag improper access, it should prevent it.
If the system isn't blocking improper access, "it's not properly structured," he said. "Certainly not according to ethics."
Kurinska-Hrdlickova disagreed with Kluge's assertion and said the territory's EMR system complies with territorial privacy legislation.
She also said the territory's EMR system is set to be replaced in the near future, and that the new system will have even stronger privacy protections.
There isn't readily available data on the prevalence of medical record snooping in the N.W.T. or in Canada.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CBC
12 hours ago
- CBC
Canadian detained in U.A.E. says he felt abandoned by embassy
Ghazwan Abdel-Jeleel says he was wrongfully detained in the United Arab Emirates for 10 months and denied critical diabetes medications. He says Canada's embassy there didn't do enough to help.
CBC
15 hours ago
- CBC
What health experts are saying about Alberta's COVID-19 vaccination program
Social Sharing Health experts, advocates and unions are sounding the alarm over Alberta's plan for paid COVID-19 shots, calling it concerning and confusing. On Monday, two months after the province announced it was adding a fee, it opened online pre-ordering for the vaccine. Albertans still need to book appointments for the shots, starting in October. Dr. James Talbot, the province's former chief medical officer of health, said the government appears to be doing everything it can to make this year's immunization campaign a "failure" by making it less available, less accessible and less affordable. "They are basically sabotaging their own COVID campaign," he said. He's among a chorus of critics warning it could lead to more hospitalizations and stress on the health-care system. Talbot and other public health experts and physicians penned an opinion piece in the Edmonton Journal last week, arguing the plan creates unfair barriers and puts Albertans at risk. "You've created this unfairness where if you're rich, you can get protected, but if you're poor, you may not be able to," Talbot said. Leigh Allard, president and CEO of Alberta Lung, part of the National Lung Health Alliance, said the government's policy makes it an extreme outlier and its precedent could ripple across the country. Those who suffer from lung conditions like asthma, cystic fibrosis or pulmonary fibrosis are vulnerable, she added. This year, Albertans also won't be able to walk into a pharmacy to get a COVID-19 shot, where the vast majority of doses were given last year. They must go to a public health clinic. Allard said people are confused over the plan. She's also concerned many won't be able to access a clinic for a shot, especially if hours aren't extended, or some simply won't be able to afford it. She said she expects an uptake in Alberta Lung's financial assistance programs. "As a charity, we should not be supplementing what the government should be doing." The government said it will still pay for some to get shots, including those who have compromised immune systems or are on social programs. Seniors in congregate settings will also be covered. However, the specifics of the qualifying health conditions have not been released. It's estimated a shot could cost $110, but the government has yet to pin down the price. Kyle Warner, spokesperson for Primary and Preventative Health Minister Adriana LaGrange, said details are forthcoming. "The fall immunization plan is being finalized, and details — including the updated vaccination schedule, eligible conditions, exact locations and administrative fee for COVID-19 vaccines — will be available soon," he said in a statement. Warner also said Albertans who don't pre-order by the Sept. 30 deadline can still book a vaccine appointment once doses become available. He said online pre-ordering helps determine future vaccine needs, minimize waste, manage delivery and prevent double bookings, since the influenza vaccine can be given at the same time. Those who pre-order are promised a reminder in October to book an appointment. The province said it has ordered 485,000 doses of COVID-19 vaccine for the fall and some of the estimated $49-million cost would be covered through those who have to pay. The government didn't respond to questions about whether it has a contingency plan to order more doses if needed, whether out-of-province costs might be reimbursed, and what informed its decision to order 250,000 fewer doses than last year. It also didn't clarify whether flu shots, which remain free, would be available in pharmacies. The province's interim chief medical officer of health, Dr. Sunil Sookram, wasn't made available for an interview. Talbot called withholding the specifics disrespectful. "It's bad enough that there's a list that says you're going to ration it, but then to have confusion about who's on the list — that just seems cruel," he said. The province has said an estimated one million COVID-19 vaccine doses, or just over half of Alberta's supply, weren't used during the 2023-24 respiratory virus season. Premier Danielle Smith has said that meant $135 million was "flushed down the drain." Facing heated questions about the policy at a public town hall in Edmonton on Thursday, Smith said her United Conservative Party government is trying not to waste public money. "There are lots of different types of vaccines that are paid for out of pocket right now ... because the federal government defunded it," she said, pointing to shots for yellow fever, which also need to be purchased. The latest provincial data says 394 Albertans with confirmed COVID-19 have died since last August. Talbot and labour leaders have also said the plan puts health workers in harm's way, and potentially forces those in an already strained system to take sick time off work to avoid infecting others. "You're going to be the only province in the country that says we care so little about these people that we're going to force them to pay for their own vaccine," said Talbot. "It seems inconceivable to me that a rational mind would think that was a good way to recruit and retain health-care professionals." Unions warned this week of potential fallout. In a Tuesday letter to the premier, Alberta Federation of Labour president Gil McGowan wrote it would be a violation of workplace health and safety laws not to include all health workers, education workers, transit operators and those in the service sector on its priority list. McGowan said he's also hearing frustration and confusion from front-line members. "It's not just incompetence. This is clearly not a vaccine rollout strategy. It's a vaccine suppression strategy," he said. The United Nurses of Alberta has said the plan limits the freedom of Albertans to choose vaccination by intentionally limiting supply and penalizing those who can't afford it.
National Post
15 hours ago
- National Post
Lawyer insists foreign adversary is behind Canadian diplomats' Havana Syndrome
Article content The Global Affairs report traces the various steps federal agencies have taken over the years in response to the illness complaints, including security, medical and environmental assessments. Article content A multi-agency Integrated National Security Enforcement Team, led by the RCMP, opened an investigation in June 2017. Article content Global Affairs and RCMP officials began travelling regularly to Cuba as part of the investigation to look at the possibility of malicious attacks, the report says. Canadian officials also shared information with foreign partners, including the United States. Article content In 2019, instruments designed to detect and capture evidence of acoustic and radiation surges, and to measure environmental effects — such as temperature, humidity, barometric pressure and ozone levels — were installed in the living quarters of Canadian staff in Havana. Article content 'The data collected from the instruments did not provide relevant and probative information to identify a cause for the symptoms,' the Global Affairs report says. 'As such, in 2022, the instruments were removed.' Article content Article content The integrated national security team concluded 'there was no criminality and no evidence attributing these health symptoms to a foreign actor,' the report adds. Article content 'In their conclusions, the RCMP and other domestic partner agencies assess that there is no known criminality, no known attribution for (unexplained health incidents) and no patterns related to symptoms, age, gender, location, or other variable.' Article content The U.S. intelligence community looked at possible evidence of a foreign adversary's involvement, the feasibility of tools that could cause the reported symptoms and whether medical analysis could help find answers. Article content A March 1, 2023, report from the U.S. National Intelligence Council said these lines of inquiry led most intelligence community agencies to conclude — with varying levels of confidence — that it was 'very unlikely' a foreign adversary was responsible for the health issues reported by American personnel. Article content Global Affairs, the Canadian Security Intelligence Service and the RCMP subsequently met to discuss the U.S. council's findings. Article content Article content The RCMP indicated that 'since no criminality was uncovered, its criminal investigation would be concluded,' and CSIS advised it also would be wrapping up its investigations for similar reasons, the Global Affairs report says. Article content Overall, the Canadian efforts 'have not uncovered a clear common cause of the symptoms experienced by government of Canada employees,' the report adds. 'Canada's findings are aligned with the conclusions of the United States on their various health studies and the security report published by the National Intelligence Council.' Article content Miller points to other research and testimony that challenge those findings. Article content Lawyer Mark Zaid, representing several U.S. personnel with symptoms, told a congressional hearing in May 2024 that there was intelligence, scientific and medical evidence substantiating the reports of anomalous health incidents, and that some were caused by a foreign adversary. Article content Zaid, who had authorized access to secret details, said he was convinced that 'the evidence that exists in the classified arena directly contradicts the public conclusions' provided by U.S. federal agencies about the cause of the health symptoms.
