Identity of leaked health information source remains a mystery after ombudsman investigation
Leaked health information of 91 people included professional athletes, politicians
An investigation into leaked health information that identified dozens of professional athletes, politicians and other prominent individuals was unable to determine the identity of the person who leaked the information.
The Manitoba ombudsman opened its investigation in August 2017 after a confidential document — suggesting that certain Winnipeg Jets players, politicians and other public figures possibly received preferential access to MRI scans — was leaked to the media.
"There is no sliding scale for privacy and the law does not differentiate who should have more, or less, privacy under [The Personal Health Information Act]," the ombudsman wrote in the conclusion to its report, which was released on Tuesday.
In total, the health information of 91 individuals was leaked.
"It is irrelevant under the law whether you may be a prominent citizen, such as someone who might be considered a person of any potential influence," the report said.
The leaked information was compiled by the Office of the Auditor General as part of its research into its recent audit into the province's management of MRI services.
The Auditor General's office has insisted the leak did not come from them, and that the compiled list was initially only shared with two people within the WRHA.
"Our investigation was not able to determine the identity of the person(s) who made the unauthorized disclosures to media organizations, nor were we able to determine whether the breach originated within the WRHA," the report said in its introduction.
Although it couldn't offer specific recommendations to prevent future breaches of privacy, the ombudsman report offered suggestions on how agencies trusted with private health information can minimize the risks to patients.
Since the leaked records were compiled because the Winnipeg Regional Health Authority disclosed it to the Office of the Auditor General in a way that identified patients. The Personal Health Information Act requires agencies "to limit the amount of personal health information disclosed to that which is necessary to accomplish the purpose," the ombudsman report said.
The report recommends that agencies bring in their privacy officers whenever an external audit involves the bulk disclosure of identifying health information. It also urges that agencies find "the least privacy-invasive identifiers and only use names if necessary."
If personal health information needs to be disclosed to an outside organization, agencies should consider whether it needs to be kept in an identifiable form and look for ways to strip out identifying information at the earliest opportunity.