Alberta Health Services has come under fire from the province's privacy commissioner for its role in the largest and longest-duration privacy breach AHS has ever experienced.
The Office of the Information and Privacy Commissioner reported Wednesday that a former AHS employee who worked at Alberta Hospital Edmonton wrongfully accessed private health information of nearly 13,000 people, raising "troubling concerns" about AHS' ability to safeguard the information.
The breach was "the largest AHS has ever experienced" and at 17 months, the longest in duration, the report said.
The OIPC investigation found that concerns about an employee's use of Netcare, the provincial health information record, were raised on four separate occasions between March 2014 and July 2015, "and that AHS failed to take reasonable steps when it did not fully investigate these issues when they arose."
The investigation found that AHS failed to ensure that the employee, who worked at Alberta Hospital Edmonton, knew about and followed safeguards designed to protect health information.
"Alberta's Health Information Act ultimately holds custodians accountable for the actions of its affiliates," privacy commissioner Jill Clayton wrote in her report, released Wednesday. "While the employee in this case improperly accessed health information, AHS did not meet its duties under HIA.
"Although AHS had administrative safeguards in place to protect health information, it failed to ensure the employee was aware of and adhering to them, and to follow up concerns about the employee's activities in a timely way."
Four recommendations to AHS
OIPC has instructed AHS to review privacy training for all employees and to improve rules and procedures around access to health information in electronic health information systems.
AHS has taken several actions in response, OIPC said, including focusing on Health Information Act training for employees and conducting an internal audit of auditing processes.
"This report should be a wake-up call for anyone responsible for protecting Albertans' health information, alerting them to the potential consequences if they fail in their duty to implement and maintain reasonable safeguards to protect health information," Clayton said in a statement.
She said the investigation "highlights a significant breach of privacy where the focus of the investigation shifted from the employee to AHS' implementation of safeguards."
In September 2016, AHS issued a news release informing the public about a former employee who had improperly accessed the Netcare health information of more than 1,309 people between 2004 and 2015. The former employee also looked at demographic information belonging to another 11,539 individuals in Netcare Person Directory.
The unauthorized accesses were discovered after an audit of the employee's use of Netcare and Netcare Person Directory.
Concerns weren't fully investigated
Clayton said AHS had received four separate concerns about the employee's alleged misuse of Netcare over a 17-month period between March 2014 and July 2015. By not investigating those concerns fully, AHS contravened the Health Information Regulation, Clayton wrote.
"It appears that without the persistence of the employee's former co-workers, who repeatedly raised the issue, the employee's unauthorized use of Netcare would not have been detected in July 2015 and may have continued on."
AHS fired the employee after an audit revealed the worker had accessed a co-worker's health information.
After AHS notified individuals affected by the privacy breach, OIPC received 30 written complaints.
New rules now in place
At the time the breach occurred, there were no requirements under the Health Information Act for AHS to report the breach to the privacy commissioner.
Amendments to the act have been in force since Aug. 31. Under the new provisions, AHS "would likely be legally required to report this breach to me, the Minister of Health and the affected individuals," Clayton wrote in her report.
The amendments brought in a fine of not less than $200,000 for a person who fails to take reasonable steps to maintain safeguards to protect against reasonably anticipated threats to the security of health information.