A Horizon Health Network employee has been fired after they "inappropriately accessed" the personal health information of 1,251 people at Charlotte County Hospital in St. Stephen, N.B., allegedly "out of curiosity."
In a statement, Horizon's vice-president of quality and patient-centred care, Margaret Melanson, describes the situation as a "significant privacy breach."
Horizon has sent notification letters to those affected and notified the Office of the Ombud.
"As part of Horizon's investigation into this matter, we believe there is no evidence to suggest any health information was shared with anyone else," Melanson said, without elaborating.
"Horizon takes the privacy of our patients and clients very seriously, and we sincerely regret this incident happened."
No information about when the breaches occurred has been released, but the employee worked in the health records department at the hospital and was dismissed on April 23, Horizon spokesperson Kris McDavid confirmed.
"As this is not a criminal matter, police are not involved," he said.
McDavid also confirmed the authenticity of a copy of one of the notification letters obtained by CBC News, which is dated June 17.
Asked about the nearly two-month delay in alerting patients, Melanson said Horizon had to complete its investigation before the letters could be sent.
"This situation entailed preparing over 1,200 individualized letters, which required a significant amount of time to prepare, translate and verify addresses," she said.
According to the letter sent by Horizon's chief privacy officer Kelly Chase, the investigation was completed on April 19. The privacy breach was discovered during an audit of electronic accesses to personal health information through Allscripts, it states.
Allscripts is an electronic health record system that provides clinical charting for health-care professionals and hospitals in the greater Saint John area.
As part of our investigation into this matter, we are satisfied that the health information was accessed by the clerk out of curiosity. - Kelly Chase, Horizon's chief privacy officer
A health information management clerk accessed the information "with no work-related need to know, contrary to Horizon's privacy policies and the [provincial] privacy legislation," according to the letter.
"I am writing to you, because the Personal Health Information Privacy and Access Act of New Brunswick, requires that we notify individuals when we become aware that their health information has been accessed inappropriately," wrote Chase.
"As part of our investigation into this matter, we are satisfied that the health information was accessed by the clerk out of curiosity, and there is no evidence to suggest any health information was shared with anyone else."
No information about the people affected, such as whether they're female or male, their ages or where they live, has been released.
No other information about the employee, such as whether it's a man or woman or how long they had worked at the hospital, has been released.
Horizon has taken "all appropriate steps to thoroughly investigate this matter," said Melanson.
Any patients and clients with concerns about their privacy are encouraged to connect with Horizon's chief privacy officer, she said.
Ombud fields complaints from 'very concerned' people
The province's interim ombud, Charles Murray, said his office has received "a number" of complaints from affected individuals but declined to say how many.
"For the purposes of our work, one is sufficient," he said.
Murray did say all the complaints are very similar, people are "very concerned" about their privacy being breached.
"The law and policy have long regarded health information as some of the most intimate information, which is deserving of some of the highest levels of protection in our systems," he said.
While many people feel free to share their phone number, which might be in the phone book, or possibly even their address, which they might have on their business cards, it's "very rare" that people share their health information with anyone who isn't directly involved in their health care.
"So both the statutes and the policy scheme recognizes that by their very nature, invasions into persons' health information are serious and need to be dealt with seriously."
Murray has been in contact with Horizon about its investigation, what it's doing to contain the breach as best as possible and what further actions it's going to take.
"Depending on the response we receive to that, we may conduct our own inquiry into certain aspects of the matter."
He wants to know, for example, the basis for Horizon's conclusion that no information was shared with another party and how that was verified.
Such "snooping" cases are not uncommon in health care, he said.
The health system, to function effectively, requires that caregivers be able to access a person's medical information.
"So we rely upon their professionalism and integrity to ensure that they only look at files for which they have a care reason, or a professional reason," said Murray.
"It appears in this case that that's not what occurred."
If the Office of the Ombud conducts its own investigation, it would be confidential until it releases a report, said Murray.
A report could include recommendations on how best to rectify the breach and how to prevent future similar breaches.