Nfld. & Labrador

Eastern Health ordered to tighten procedures after patient privacy breach

The province's privacy commissioner is ordering Eastern Health to remind staff to log out of computer programs when they are done, following an investigation of a privacy breach.

Commissioner's office investigated after 2 complaints of May 2015 breach

The province's information and privacy commissioner is ordering Eastern Health to remind staff to log out of computers once they're done, after a breach of private patient information at the health authority. (iStock)

Newfoundland and Labrador's privacy commissioner is ordering Eastern Health to remind staff to log out of computer programs, following an investigation of a privacy breach.

Information and Privacy Commissioner Donovan Molloy's report describes the May 28, 2015 incident as an "intentional breach of patient information."

The report says an unknown person inappropriately accessed and printed personal health information from the account of a doctor who didn't log out of patient information software, called Meditech.

While a number of patients were involved, Molloy only looked into two specific complaints.

Perpetrator not identified

The information consisted of patient names, MCP numbers, gender, age, hospital admission date, attending physician and reason for visit.

Donovan Molloy is Newfoundland and Labrador's information and privacy commissioner. (Submitted photo)

That information was then anonymously sent to the Department of Health and the College of Physicians and Surgeons.

The investigation could not determine who committed the breach, so no charges were laid.

"Despite the thorough investigation undertaken — which included attempted fingerprint/DNA analysis of the envelopes sent to the department and the college — Eastern Health was unable to confirm, with the necessary degree of certainty, the identity of the person responsible for the intentional inappropriate access," the report read.

No other avenues of investigation offered any prospect of proving the identity of the offender.- Commissioner Donovan Molloy

"No other avenues of investigation offered any prospect of proving the identity of the offender such that a prosecution would be viable."

The report went on to say the physician whose account was accessed was on rounds in another part of the hospital when the records in question were printed and could not have printed them.

It said the doctor maintained he didn't give his user name and password to anyone, but it appears he did fail to log out of the Meditech system after completing a clinic earlier in the day.

Outside the authority's control

The files were later printed at that location from the open account.

The hospital or health centre where it happened was not named in the report.

Eastern Health has been ordered to remind staff to log out of computers after they're finished, as well as the consequences of doing so. (CBC)

A release said the breach was outside the health authority's control and "perpetrated by someone who chose to ignore clear rules and policies regarding the protection of personal health information."

"This person was able to inappropriately access the information through the account of another doctor when he inadvertently failed to log out of his computer session, contrary to Eastern Health policy," it read.

Molloy has ordered Eastern Health to look into "automatic log-out times" on its systems and to "remind employees of the importance of logging out of computer sessions and of the consequences for failing to do so."

He also asked the health authority to look into the feasibility of installing proximity card readers.

They can automatically log in staff when they get close enough to a computer, but log them out when they move outside that area.