A woman’s medical records were unlawfully accessed time and time again over a period of months by two siblings at the NWT’s health authority, a report states.
Territorial information and privacy commissioner Andrew Fox looked into the incidents, which began in 2022 and continued into 2023.
His review of what happened was finalized late last month and published this week.
The siblings were not named in the report (the commissioner’s reports rarely, if ever name people involved in cases). There is no indication that either person lost their job over the privacy breaches, though each was briefly suspended.
Fox said one of them had once been in a relationship with the woman whose health information they unlawfully accessed.
Advertisement.
Advertisement.
“This was a serious privacy breach that caused significant distress to the patient,” Fox stated.
“The patient advised that this invasion of personal privacy had an extreme and lasting impact on her personal well-being and trust in the system.”
According to Fox’s report, the patient began to suspect in the summer of 2023 that her personal health information “had been improperly accessed.”
She asked for the NWT health authority to provide a record of activity for her file – a document showing the names of every person who had accessed the file electronically.
Advertisement.
Advertisement.
On that list, the patient discovered the names of two health authority employees “who were not involved in her care,” Fox wrote.
“The patient had previously been in a relationship with one of the employees,” he noted. “The two employees were siblings.”
An investigation by the health authority revealed one employee had “deliberately accessed” the patient’s records at least eight times over an 11-month period, according to Fox, and the other had accessed the records twice more. He said the two had admitted their misconduct.
“The motivation seems to have been curiosity proceeding from a personal relationship – something that is wholly irrelevant to lawful authority and serves only to underline the employees’ unprofessional misconduct,” he wrote.
“There is no suggestion the employees held a mistaken belief that their actions were lawful. Presumably they thought their actions would go undiscovered.”
Fox said both employees had completed privacy training but this incident showed training “does not guarantee that employees will behave ethically.”
The health authority revoked the employees’ access to electronic medical records the day after being notified by the patient of her concerns. Fox said both members of staff were suspended without pay for 10 days and then reassigned to roles not involving medical records.
“NTHSSA reported the incident to both employees’ regulatory bodies,” he wrote, using an initialism for the health authority.
Advertisement.
Advertisement.
“The independent reviews of the employees’ professional conduct were not directly connected to NTHSSA’s disciplinary process, nor were they under my jurisdiction as the information and privacy commissioner. Neither employee lost their certification as a result of this incident.”
In his report, Fox expressed skepticism that the employees would have learned their lesson by the time health authority-imposed suspensions of their access to medical records – suspensions lasting up to two years – expire.
“One might reasonably expect that medical professionals who belong to professions with regulatory bodies would understand the need to respect patient privacy,” he stated.
“Having demonstrated that this was not true in their cases, these two employees should have to prove they fully understand the legal requirements applying to NTHSSA employees.”
He concluded the health authority had taken reasonable measures to safeguard personal health information but those were “thwarted by deliberate employee misconduct.”
“This was a significant breach of trust on both employees’ part,” Fox wrote.
“Their deliberate, unprofessional and unethical conduct … significantly affected the patient’s trust in NTHSSA as health information custodian.”
