What to know about the Nova Scotia Health privacy breach

Nova Scotia Health (NSH) is being called out by the province’s information and privacy commissioner after eight employees were caught snooping in medical records linked to the April 2020 mass killing.

Background: The term ‘snooping’ is used when someone accesses private information for personal purposes instead of work purposes, according to the report. It falls under the province’s Personal Health Information Act (PHIA).

Exposed: NSH audited the employees and found some of them have been snooping for years. Some were fired, others were suspended. NSH reported the breaches to the Office of the Information and Privacy Commissioner (OIPC) on Jun. 15, 2020.

Information and privacy commissioner Tricia Ralph began investigating in Aug. 2020 and found the employees were looking into personal health records of family, friends and acquaintances.

Investigators reviewed documents from NSH and talked to some patients affected by the breach. 

Ralph released a report on Feb. 8. It includes 12 findings and 12 recommendations.

Numbers: Eight employees snooped on 270 people at least 1,200 times, the report confirms.

Why it’s important: Ralph told The Signal these patients felt violated and anxious about their personal information being accessed that way.

“It can really affect future care because if people don’t trust in the system,” she said, they may not “give as much information to their healthcare providers.”

Sorry: An apology was posted on the N.S. Health website the same day the report came out. “This breach added further unnecessary harm to the families of those who lost loved ones … We deeply regret that this breach took place,” it reads. N.S. Health is “committed to protecting the confidentiality of patient information” and following the PHIA.

What’s next: NSH has 30 days to accept or decline Ralph’s recommendations. It has accepted “most of the 12 recommendations,” according to the statement.

Ralph said she’s focusing on preventing similar incidents in the future, noting health-care facilities still use older systems that don’t have proper policies and procedures to prevent snooping.

Electronic systems should have built-in tools to limit employee access to records, she said.

Tech upgrade: One Person One Record (OPOR) is an upcoming system that will digitize Nova Scotia’s health-care starting in 2025. It will have an automatic auditing function that lets users know when someone accesses their medical records, Ralph said, adding OPOR will be better at preventing targeted lookups.

Penalties: Ralph said while Nova Scotia isn’t filing charges at this time, some provinces are taking stricter measures and treating privacy breaches as a regulatory offence.