Nova Scotia·CBC Investigates

More than 2,500 privacy breaches at N.S. health authority in recent years, report says

There were more than 2,500 privacy breaches at the Nova Scotia Health Authority over a 27-month period, but the most serious ones are never reported to the province's privacy commissioner.

Most are in the minor category, but privacy commissioner still calls for change

Documents obtained by CBC through a freedom of information request show there were 2,562 reports of personal health information improperly shared by the Nova Scotia Health Authority over 27 months. (John Panella/Shutterstock)

There have been almost 100 privacy breaches per month on average at the Nova Scotia Health Authority in recent years.

But there is no way for the public to know how many people have been impacted by having private health information improperly shared.

Not even the province's privacy commissioner is fully informed and she wants to see that changed.

"It could be psychiatric notes, diagnoses, procedures you've had that you don't want other people to know about," Catherine Tully said.

CBC used a freedom of information request to obtain the number and kind of privacy breaches at the health authority in recent years.

CBC was told the organization was unable to provide the number of patients who have had their personal information improperly shared.

"Please note that these are counts of breach reports, some breaches may involve more than one person, there is not a way to capture this in reporting at this time," according to a statement included in documents provided.

However, an NSHA spokesperson said the authority knows the majority of the breaches involve only one patient each and are minor in nature.

Catherine Tully is the privacy commissioner for Nova Scotia. (Steve Lawrence/CBC)

Tully said it's important to know how many people are affected in order to assess the seriousness of each breach.

"Was it one person? It could still be a serious breach. Is it 10,000 people? Is it 100,000 people?" she said.

"We have these huge databases in N.S. There could be 800,000 people affected by the breach. That's within the realm of possibility here in Nova Scotia."

The document shows there were 2,562 reports of privacy violations of patients, employees, contractors and volunteers between Oct. 1, 2016 and December 31, 2018.

It provides general descriptions of what happened, for example, inappropriate sharing/disclosure of information to others. It classifies the breaches as no harm, mild harm, moderate harm and severe harm.

Privacy breaches can take many forms. Often, they're unintentional, but some are not.

Numbers provided by the health authority in response to a freedom of information show the number of breaches from employees snooping on patients in recent years.   

Number of breaches by employees snooping on patients
YearEmployees InvolvedTotal Patients
20169355
201718168
201857

 

Most of the 2,562 breach reports fall within the lesser classifications, as defined by the authority. 

No harmNo likelihood of harm and no notification required, breach within health care or contained within N.S. health authority
Mild harmSome likelihood of harm, notification is required, information breached outside of health care or N.S. health authority and contains limited patient health information.
Moderate harmStrong likelihood of harm, notification is required, significant patient health information has been breached. The breach may or may not be contained.
Severe harmExtreme likelihood of harm, notification is required. 

 

Patients must be notified in every instance except for the no harm category.

'It makes absolutely no sense'

Provincial legislation requires the privacy commissioner only to be notified about no harm breaches, meaning they are so minor not even the patient is notified.

"It makes absolutely no sense," Tully said. "I call it the upside-down breach-reporting requirement."

Tully said it's important that minor breaches are reported to her office.

But, she said: "It's also very important that when there is a risky breach where there's harm to individuals [that] there's some independent oversight looking at what happened, what did you do and have you done enough to prevent this from happening again."

There are 68 reports classified as moderate. Only three are categorized as severe.

When the news was shared with Tully, it was the first time she had seen all of the numbers.

Tully said classifying the breaches is subjective and she points out that NSHA classifies "inappropriate sharing/disclosure of information to others" as no harm, mild harm, moderate harm and severe harm in different reports.

There is also no way to know whether the breaches were identified by NSHA staff or patients.

Tully said the province's legislation that only requires no harm cases be reported to her is "completely inconsistent" with every other jurisdiction that has breach reporting, including Europe, Alberta and Ontario.

She has asked government to change legislation "a number of times" so all breaches are reported to her office. The premier said earlier this year he would review the legislation, but made no promises to change it.

"I would like them to add to the law a mandatory requirement that they report breaches to our office where there's a real risk of significant harm and that they do so in a timely fashion," she said, adding that in Europe those breaches are required to be reported to privacy commissioners within 72 hours.

Improvements being made

Tully said the NSHA has been working with her office to improve its breach reporting and has already implemented a number of recommendations her office made a few years ago.

She said health-care providers have started using a new breach reporting form as of April 1.

It will require each report to identify how many people were impacted, although the reports will still only cover no harm breaches.

NSHA responds

While the privacy commissioner may not get information on serious breaches, Colin Stephenson, an NSHA executive, said all privacy breaches are reported, whether to the privacy commissioner, the person impacted or the health authority itself.

Colin Stephenson of the health authority said the majority of privacy violations happen internally or within the medical community and are so minor not even the patient is notified.

He said notification is always made to those whose privacy has been breached if there is any chance of harm or embarrassment.

"Our primary obligation, and the most important thing for us to do, is to make sure that individuals who have potentially had their information accessed are notified of that," Stephenson said.

He points out most of the breaches, up to 80 per cent, fall into the no harm category, and are reported to the privacy commissioner.

He also said when there is a "significant or substantial" breach, which requires a more thorough investigation, NSHA has, and will continue, to enlist the help of the privacy commissioner.

However, when asked directly whether the NSHA has plans to report all breaches to the privacy commissioner, Stephenson said, "We haven't at this stage made any plans to shift or change what our reporting is."

Tully is urging Nova Scotians to "become activists" around the protection of privacy.

She said Nova Scotians who discover their privacy has been breached by health providers, or who get a breach notification from them, should speak up. She said they can complain to her office, which will determine if an investigation is needed.

Stephenson said any Nova Scotian can, at any time, ask for an audit of their health record to see who has accessed their personal information.

About the Author

Yvonne Colbert

Consumer Watchdog

Yvonne Colbert has been a journalist for nearly 35 years, covering everything from human interest stories to the provincial legislature. These days, she's focused on helping consumers get the most bang for their bucks and avoid being ripped off. She invites story ideas at yvonne.colbert@cbc.ca.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.