St. Joe’s reported more than 2,000 privacy breaches since 2018 — the second most in Ontario

by
Sebastian Bron - Spectator Reporter
from on (#5YDP6)
stjoes.jpg

More than 2,000 patients at St. Joseph's Healthcare Hamilton have had their medical files breached in recent years, a figure experts say raises questions about the hospital's record-keeping practices.

A Spectator analysis of annual reports from the Information and Privacy Commissioner of Ontario (IPC) reveals St. Joe's has among the worst track records in the province for patient file security.

Between 2018 and 2020, the hospital reported 2,183 privacy breaches to the IPC - the second most in Ontario, data shows.

The analysis comes on the heels of a shocking breach that saw a St. Joe's employee fired in March after they snooped into the files of 49 patients out of curiosity."

Data shows of the hundreds of hospitals, pharmacies and health-care providers that experienced breaches between 2018 and 2020, only London Health Sciences Centre reported more incidents than St. Joe's with a whopping 7,662 breaches.

By contrast, Hamilton Health Sciences (HHS), the city's other major hospital, reported just 190 breaches in that same time frame.

Ontario tweaked a law in October 2017 making it mandatory for health-care professionals to report breaches to the IPC. Public data from the IPC is only available up until 2020 and not prior to 2018.

While breach data for 2021 is expected to be released in the IPC's annual report this summer, in response to requests from The Spec, St. Joe's said they had an additional 150 breaches last year and HHS had 75.

St. Joe's attributed the high number of privacy incidents in recent years to the hospital's migration to a new electronic medical record (EMR) system in 2017, which included automated faxing of patient information to family doctors.

Despite our best efforts, St. Joe's has had instances of privacy breaches and we are committed to continue doing everything we can to prevent them in the future, including updates to our mandatory privacy training program and annual attestation of confidentiality," Nicole Vaillancourt, manager of public affairs, said via email.

The shockingly high" number of breaches at St. Joe's should raise doubt about the hospital's general privacy policies and training practices, said Arthur Schafer, founding director of the Centre for Professional and Applied Ethics at the University of Manitoba.

As these breaches and their frequency come to public light, the people who are in charge of the health-care system - the CEO of the hospital, the chief physicians, the chief nurses - have an obligation of accountability," Schafer said in an interview.

The privacy breaches at St. Joe's are so shockingly high, in absolute terms and in comparison to other Ontario health-care institutions, that they owe it to their patients to explain what went wrong, carefully and in detail."

St. Joe's said three staff were fired between 2018 and 2020 in relation to the breaches. It's unclear how many other workers were disciplined but not terminated.

Ninety-three per cent of breaches committed during the three-year period analyzed by The Spectator stemmed from misdirected faxes sent to patients' primary-care providers who had unknowingly changed numbers, Vaillancourt said, adding the hospital later reached out to affected patients and obtained up-to-date contact information for their providers.

We work with care providers to confirm that all misdirected documents are destroyed," she said.

The remaining seven per cent were due to unauthorized access by staff - some intentional (snooping), others unintentional (email errors). There were also two cases of staff thefts: a stolen laptop and a stolen sign-in sheet. Due to strong encryption on the laptop, no patient information was compromised," Vaillancourt said. A patient affected by the stolen sign-in sheet was notified."

Vaillancourt said the hospital has since implemented process improvements and made significant progress" to reduce cases of misdirected faxes, which are classified and reported to the IPC as disclosed without authority" incidents.

What those changes are or when they occurred, however, she did not specify.

St. Joe's was an early adopter of the EMR system and has shared learnings - including misdirected auto faxes - with other hospitals going through similar transitions," Vaillancourt added.

St. Joe's conducts bimonthly audits throughout the year and employees are presented with a privacy disclaimer before signing on to the hospital's EMR system. But despite migrating to the digital system in 2017, misdirected faxes continue to be a problem: of the 150 privacy breaches recorded last year, 120 were misdirected faxes. Vaillancourt did not offer an explanation when asked why this was still a problem four years later.

For Schafer, the crediting of breaches to a shift in record systems raises more questions than it does answers.

Is that an adequate explanation? Because every other hospital and clinic in Ontario have undertaken the same migration from paper to electronic record-keeping," he said. What is it about the prevailing culture, safeguards and systems in place at St. Joe's that exposes their patients to such a high degree of risk?"

That's a nonsense answer," added former Ontario privacy commissioner Ann Cavoukian. There's lots of hospitals going through shifts to electronic systems. St. Joe's should be audited strongly and I hope the IPC goes in and does so."

There are also concerns about how St. Joe's responds to employees who violate patient privacy.

In January, a St. Joe's staffer was disciplined after the hospital said they snooped into the files of two patients - a dead mother and a baby boy - who are unrelated but share a last name. The hospital told The Spectator at the time they uncovered five instances where staff have accessed health records for reasons other than their hospital duties."

But it took a subsequent investigation by the IPC to reveal the disciplined employee inappropriately accessed the files of 49 patients - not the five St. Joe's cited - over a year-long span.

The staffer was fired in March. St. Joe's didn't respond when asked why it took a third-party probe to accurately discern the number of breaches.

You would think that person would've been terminated from the start," said Schafer. Is there an institutional culture problem there where these (breaches) aren't taken seriously?"

Barring the terminated employee, St. Joe's said four other staff were involved in intentional privacy breaches affecting between one and six patients in 2021. All were disciplined. None were fired.

HHS spokesperson Wendy Stewart said fewer than five individuals" were disciplined and one was terminated in 2021 in relation to 75 privacy breaches - half of what St. Joe's recorded. The hospital conducts monthly audits to ensure compliance with its privacy policies, she added, and staff receive a confidentiality alert when signing into their patient records system.

St. Joe's said they submitted a plan to the IPC to strengthen their privacy program and are now implementing enhanced annual privacy training and re-education of all staff privacy policies.

For Cavoukian, more safeguarding is needed to ensure Hamiltonians' health records are protected.

Medical information is the most sensitive information that exists, and it should be unacceptable for it to be disclosed without authority," she said. If I was the IPC, I would be in there and audit this thoroughly to make very strong recommendations for what St. Joe's should be doing."

Sebastian Bron is a reporter at The Spectator. sbron@thespec.com

External Content
Source RSS or Atom Feed
Feed Location https://www.thespec.com/rss/article?category=news
Feed Title
Feed Link https://www.thespec.com/
Reply 0 comments