'Snooping' Central Health employee accessed patient diagnoses, personal info in 2-year privacy breach: CEO
Andrée Robichaud says privacy expert to be brought in to beef up security
A former employee of Central Health involved in a series of privacy breaches, spanning two years and 240 patients, had access to files containing people's personal and medical information, says the health authority's CEO.
CEO Andrée Robichaud said someone from outside the health authority alerted them on June 14 that an employee had shared a patient's personal information, and an internal audit kicked into gear.
"We saw that we had an employee with clinical responsibilities … which means he had access to the Meditech system, that had been snooping, for lack of a better word," she said.
Robichaud referred to the employee at the centre of the breach as both he and she throughout the interview.
She refused to specify where the employee worked within the health authority, what the person's job was, or their motivations.
The employee, who hasn't been identified but no longer works with Central Health, had access to two types of files, which contained summary information of a patient in hospital, including their diagnosis, their attending physician, age, sex and even what room in the hospital they were in.
That information was stored electronically and required a user name and password.
Robichaud said because of the person's clearances, he should have known better than to go through the information.
"We had an individual with clinical responsibilities, who had gone through privacy training, knew they were not to do that, and actually broke the law," she said.
Security getting a bump
While Central Health performs privacy audits weekly, designed to catch breaches, picking employees at random and checking their access as well as doing more targeted audits. But this breach fell through the cracks, prompting questions as to why.
"We're going to go back and see if there's anything we're not doing," Robichaud told CBC Radio's Newfoundland Morning.
Every Central Health employee has to go through privacy training upon hiring, but Robichaud said Central Health will beef that up to an annual refresher, and bring in outside expertise.
"Given the size of this breach, we are going to bring in a privacy expert to look at what we're doing, and if there's anything we can improve," she said, apologizing to those people affected.
Central Health began phoning the patients yesterday, with 70 contacted so far.
Robichaud would not specify where the employee worked within the health authority, what his job was, or his motivations.
"In the industry, we see this as snooping," she said, adding that as far as she knows, the person doesn't appear to have copied any files.
- The CEO of Central Health referred to the employee at the centre of the privacy breach as both he and she throughout the interview. A previous version of this story included a quote, which was accurate, but only included a reference that the employee was a man. Central Health is not releasing details about the employee, including what part of the agency he or she worked.Jul 29, 2020 12:00 PM NT
With files from CBC Newfoundland Morning