Depth of file snooping by fired St. Joe’s worker a ‘serious breach of medical ethics’: expert

by
Sebastian Bron - Spectator Reporter
from on (#60TF7)
dsc_3111.jpg

New details have emerged about the extent of a massive privacy breach at St. Joseph's Healthcare Hamilton that led to an employee being fired in March.

A report from Ontario's privacy commissioner independently obtained by The Spectator reveals the terminated employee accessed more than just the demographic information of 49 patients over a year-long span.

In prior statements to The Spec, the hospital failed to disclose the scope of the breaches, only saying the responsible staffer snooped into patient records that included details such as names, birthdays, addresses, emails, phone numbers, ethnicities and religions, among others, out of a general sense of curiosity."

But the report from the Information and Privacy Commissioner of Ontario (IPC) now reveals far more intimate patient details were compromised.

The report - a product of a months-long probe into the extent of the breaches and St. Joe's handling of them - found more than two-dozen patients of the total 49 had health records accessed that included clinical doctor notes.

Between February 2020 and March 2021, 26 hospital patients saw their health files and sensitive physician notes inappropriately accessed, according to the report, which was confidentially provided to The Spec by an affected patient. Another 23 saw their demographic information inappropriately accessed.

St. Joe's said in a statement Friday the clinical notes included documented care provided by nurses and physicians to patients during hospital visits.

They did not respond when asked why the full extent of the breaches was not previously disclosed.

For Arthur Schafer, founding director of the Centre of Professional Applied Ethics at the University of Manitoba, the absence of a thorough disclosure points to an accountability problem" at St. Joe's.

St. Joe's pretended to be accountable by issuing statements that a breach happened, but they were not accountable in that they didn't disclose that clinical notes were also breached," he said.

Schaefer called the access to clinical notes a serious breach of medical ethics" that threatens the sanctity of doctor-patient relationships.

This is a really big deal," he said. Physicians and hospitals keeping patient information confidential and on a need-to-know basis is critically important to the foundation of medical confidentiality.

If you can't trust your physician or hospital, then you're likely to be less forthcoming with various potential issues that could prejudice your health."

It took St. Joe's nearly three months to report 26 of the 49 breaches to the IPC, a delay the hospital attributed to an internal investigation and full audit of the responsible worker's snooping activity.

As for the other 23 that saw demographic details breached?

St. Joe's didn't know they were an infringement of the Personal Health Information Protection Act until the IPC flagged them as such, according to the report.

Upon further discussions with our office about what constitutes an improper use of personal health information under the act, (St. Joe's) agreed to consider the employee's access to the personal health information of 23 additional patients as part of the reported breach," the report states.

My jaw drops to the floor hearing that," Schaefer said in reaction to St. Joe's initially not identifying the 23 breaches as contraventions of the act. It suggests a massive failure of comprehension on the part of the hospital."

Schafer said the type of information breached in those files - albeit largely demographic details that don't include clinical notes - can be used to seriously harm patients if it falls into the hands of people with malicious motives."

It almost passes the bounds of understanding how the hospital could think these breaches were not important," he added. Who is training their administration and staff in medical ethics?"

According to the report, St. Joe's has taken several steps to reduce the likelihood of a similar breach in the future. Those include:

  • The termination of the responsible employee;

  • Enhancements to its privacy policy to include warnings of disciplinary action for non-compliance;

  • Hospital-wide communications to staff regarding unauthorized access;

  • Mandatory annual privacy training for all staff;

  • Mandatory annual confidentiality attestations from all staff;

  • And increased oversight, including bimonthly audits and a privacy disclaimer presented to staff before they sign into the hospital's electronic medical record system (EMR).

But questions remain about the privacy scandal beyond how St. Joe's identified and reported the breaches.

The responsible employee stayed on the job for a full year before being fired.

They were disciplined in January 2022 - more than nine months after St. Joe's first identified the breaches - and ordered to undergo additional privacy training, along with weekly targeted audits of their use on the hospital's EMR.

That action came to light after a Spectator story in February revealed the worker snooped into the files of two patients - a dead mother and a baby boy - who were unrelated but shared a last name.

At the time, the hospital said they uncovered five instances in the past year where staff have accessed health records for reasons other than their hospital duties."

It wasn't until the subsequent IPC investigation that it was revealed the disciplined worker inappropriately accessed the files of 49 patients - not the five St. Joe's cited - over a 13-month period.

The employee was fired in March. St. Joe's said that the employee confirmed in writing to them that they did not copy or disclose any of the information they accessed.

According to the report, most affected patients were notified about the breaches - but at varyingly different times. The report states St. Joe's sent written notice letters to the patients on Aug. 6, 2021, Sept. 24, 2021, and Jan. 19, 2022. Some patients didn't have up-to-date contact information.

The hospital said the staggered timeline of notification reflects the various stages of our internal investigation."

We needed to provide a fulsome report around the circumstances of the breach," Christine Cho, manager of public affairs, told The Spec via email. We also dealt with competing pressures and resource challenges from the hospital's pandemic response."

St. Joe's has boasted among the worst track records in Ontario for patient file security in recent years.

A Spec analysis previously found the hospital reported 2,183 privacy to the IPC between 2018 and 2020 - the second most in the province.

Ninety-three per cent of breaches committed during the three-year period stemmed from misdirected faxes sent to patients' primary-care providers who'd unknowingly changed numbers, the hospital said in April. The remaining seven per cent were due to unauthorized access by staff - some intentional (snooping), others unintentional (email errors). There were also two cases of staff thefts: a stolen laptop and a stolen sign-in sheet.

The breaches led to the termination of three staff members. It's unclear how many other workers were disciplined but not terminated.

Sebastian Bron is a reporter at The Spectator. sbron@thespec.com

External Content
Source RSS or Atom Feed
Feed Location https://www.thespec.com/rss/article?category=news
Feed Title
Feed Link https://www.thespec.com/
Reply 0 comments