Manitoba

Former Manitoba Health employee snooped on records of family, senior public officials: ombudsman

Manitoba Health didn't do enough to mitigate the risks of a privacy breach. That was the provincial ombudsman's finding in a report detailing the investigation of an employee who accessed the medical records of his estranged daughter, colleagues and some senior public officials.

Report in response to privacy breach says department didn't do enough to mitigate risks

Manitoba's ombudsman released a report and recommendations after investigating a privacy breach by a former Manitoba Health employee. (Getty Images)

The province's ombudsman says Manitoba Health didn't do enough to mitigate the risks of a privacy breach.

That was Charlene Paquin's finding in a report detailing the investigation of an employee who accessed the medical records of his estranged daughter, colleagues and some senior public officials. 

The ombudsman's report, released Tuesday, included 11 recommendations, including hiring a chief privacy officer for the department and conducting a comprehensive review of how Manitoba Health manages its privacy obligations to Manitobans.

The investigation started in 2014 when the employee, a former city police officer, learned from his ex-wife that his daughter had been hospitalized for psychiatric reasons and then accessed his daughter's private health records.

CBC is not naming the offender to protect the identity of his daughter.

The investigation also found the man accessed personal health information of other family members, professional contacts, acquaintances, other departmental employees and a small number of senior public officials. 

Accessed computer after resignation

"Several individuals who complained to our office reported suffering psychological harm and anxiety as a result of the employee's invasion of their privacy. Some individuals also reported fear for their safety stemming from past experiences in their relationships with the employee," the ombudsman's report said.

An investigation also found that while the department was moving toward firing the employee, he turned in his resignation, which was effective immediately. But a few days later he was able to get back into the building where he worked and log into his computer. A forensic examination found that he deleted files from his account. 

He was charged in April 2016 with one criminal charge under the Personal Health Information Act. He was found guilty and fined $7,500 earlier this year.

The final report and recommendations were held until the court proceedings were over. 

"Organizations that hold personal health information must have policies, procedures and safeguards in place to ensure that this information is only accessed by employees who have a legitimate work-related purpose for doing so," said Paquin in a news release on Tuesday. 

"Employees need to know that snooping into the personal health information of others is a very serious matter." 

The ombudsman's investigation reviewed the unauthorized access to information and what the response was, looking at how Manitoba Health prevents, detects and ultimately reacts to such breaches. 

Manitoba Health didn't respond in a timely way to address or stop privacy breaches in some instances, the report says.

Its recommendations also include reviewing Manitoba Health's policies and procedures and developing a regular audit process to see who is accessing records and why.

Paquin said Manitoba Health accepted all of the report's recommendations and has already made changes, or committed to making them. She added the department made changes after the 2014 breach was discovered.