St. Joe’s fires employee who snooped into medical records of 49 patients ‘out of curiosity’

by
Sebastian Bron - Spectator Reporter
from on (#5XFK8)
st_joe_s.jpg

St. Joseph's Healthcare Hamilton has fired an employee who inappropriately snooped into the medical records of four dozen patients.

The massive privacy breaches spanned more than a year and saw 49 patients' personal health information - think names, medical record numbers, ethnicities, family doctors, birthdays, phone numbers and addresses - exposed to a single staffer with system-access privileges.

St. Joe's said in a statement to The Spectator on Wednesday the staff member was looking for information out of a general sense of curiosity."

That's the same answer they gave about a month ago after a Spectator story revealed the files of two patients - a dead mother and a baby boy who are unrelated but share a last name - were inappropriately accessed.

At the time, St. Joe's said they uncovered five instances in the past year where staff have accessed health records for reasons other than their hospital duties."

On Wednesday, they appeared to correct that statement, instead saying five staff members - including the terminated one - were involved in privacy breaches in 2021. Barring the fired employee, the four staffers accessed between one and six patient" files, the hospital said.

It took a subsequent investigation by the Information and Privacy Commissioner of Ontario (IPC) to find the terminated employee snooped into the files of 49 patients - not the five St. Joe's previously cited - between February 2020 and March 2021.

The IPC said in a statement it won't issue its findings to the public as it's satisfied with the steps" St. Joe's took in response to the breach, including terminating the responsible employee.

Health-care institutions need to take reasonable measures to safeguard personal health information and remind all of their employees and agents that any kind of unauthorized access to patient files, whether out of curiosity, personal gain, carelessness or even concern, is unacceptable," they said.

St. Joe's did not respond when asked why it took a third-party probe to accurately discern the scope of the breaches.

I mean, if the IPC can find that information, St. Joe's can find it," said former Ontario privacy commissioner Ann Cavoukian in an interview. But it sounds like they didn't dig deep enough to find out if there were other cases or not."

Cavoukian called the breaches appalling" and expressed surprise that the employee wasn't criminally charged. Followed by financial data, health information is the most sensitive type of data that exists," she said.

In the wrong hands, that kind of information, all your personally identifiable data, can be used in ways that come back to haunt you," Cavoukian added. Identity theft can arise, bills can be charged to you - all kinds of negative repercussions.

What I'd like to know is what that person is doing with that data? They should've been charged."

St. Joe's said only one staff member was responsible for the breaches and all affected patients have been notified.

The hospital has submitted a plan to the IPC to strengthen their privacy program, they said, and are now implementing enhanced annual privacy training and re-education of all staff on their privacy policies.

We take every privacy breach very seriously," John Aldis, senior vice-president of finance and corporate service at St. Joe's, said in an emailed statement. We are deeply sorry for the distress this has caused the affected patients."

For Arthur Gallant, those comments ring hollow.

His late mother, Marilyn, had her records inappropriately accessed on March 26, 2021. But it would be another nine months before St. Joe's informed Arthur of the breach, saying in a letter the staff member's actions were driven by a general sense of curiosity and that they did not copy or further disclose any information learned from their accesses."

The letter, dated Jan. 18, 2022, further stated the staffer was disciplined and ordered to undergo additional privacy training.

There such a big gap from the time the first breach was committed to the time the employee was terminated," Gallant said Tuesday. They say they're developing policies - but why did this go undetected for so long?"

Gallant, whose gone through an emotional wringer" as he continues to grieve his mother's death, takes pointed issue with how St. Joe's responded to the breach. He said the hospital essentially defended" the employee by not terminating them sooner.

While I'm relieved that they've been terminated, I'm just really shocked at how they got from publicly defending their employee's actions and reprimanding them, to now firing them."

Meanwhile, Shauna Gallant's two-year-old son's records were accessed twice because the terminated employee was searching for a family member's health record, and in doing so came across the demographic information ... of other individuals with a similar name," St. Joe's said in a statement to The Spec on March 4.

St. Joe's did not answer when asked whether the other 47 patients affected by the terminated employee's privacy breaches shared the last name Gallant. They also did not say how many times the employee accessed affected patients' files.

Sebastian Bron is a reporter at The Spectator. sbron@thespec.com

External Content
Source RSS or Atom Feed
Feed Location https://www.thespec.com/rss/article?category=news
Feed Title
Feed Link https://www.thespec.com/
Reply 0 comments