This article is more than 1 year old.

What to know about the Nova Scotia Health privacy breach

Privacy commissioner releases 12 findings, recommendations

3 min read
A person uses a mouse in front of a keyboard.
caption Nova Scotia Health issued an apology for 2020 privacy breaches.
Brad Chandler

Nova Scotia Health (NSH) is being called out by the province’s information and privacy commissioner after eight employees were caught snooping in medical records linked to the April 2020 mass killing.

Background: The term ‘snooping’ is used when someone accesses private information for personal purposes instead of work purposes, according to the report. It falls under the province’s Personal Health Information Act (PHIA).

Exposed: NSH audited the employees and found some of them have been snooping for years. Some were fired, others were suspended. NSH reported the breaches to the Office of the Information and Privacy Commissioner (OIPC) on Jun. 15, 2020.

Information and privacy commissioner Tricia Ralph began investigating in Aug. 2020 and found the employees were looking into personal health records of family, friends and acquaintances.

Investigators reviewed documents from NSH and talked to some patients affected by the breach. 

Ralph released a report on Feb. 8. It includes 12 findings and 12 recommendations.

Numbers: Eight employees snooped on 270 people at least 1,200 times, the report confirms.

A glass door has two paper signs that say “No public entry” and “Office of the Information and Privacy Commissioner.”
caption The Office of the Information and Privacy Commissioner is on Spring Garden Road.
Shazara Khan

Why it’s important: Ralph told The Signal these patients felt violated and anxious about their personal information being accessed that way.

“It can really affect future care because if people don’t trust in the system,” she said, they may not “give as much information to their healthcare providers.”

Sorry: An apology was posted on the N.S. Health website the same day the report came out. “This breach added further unnecessary harm to the families of those who lost loved ones … We deeply regret that this breach took place,” it reads. N.S. Health is “committed to protecting the confidentiality of patient information” and following the PHIA.

What’s next: NSH has 30 days to accept or decline Ralph’s recommendations. It has accepted “most of the 12 recommendations,” according to the statement.

Ralph said she’s focusing on preventing similar incidents in the future, noting health-care facilities still use older systems that don’t have proper policies and procedures to prevent snooping.

Electronic systems should have built-in tools to limit employee access to records, she said.

Tech upgrade: One Person One Record (OPOR) is an upcoming system that will digitize Nova Scotia’s health-care starting in 2025. It will have an automatic auditing function that lets users know when someone accesses their medical records, Ralph said, adding OPOR will be better at preventing targeted lookups.

Penalties: Ralph said while Nova Scotia isn’t filing charges at this time, some provinces are taking stricter measures and treating privacy breaches as a regulatory offence.

Share this

About the author

Shazara Khan

Shazara Khan is a journalism student at the University of King's College. Before coming to Halifax, she got a Bachelor of Science from her hometown...

Have a story idea?