Snooping detection at Health PEI needs improvement, says privacy commissioner
Careful analysis of auditing process required, says Karen Rose
Health PEI responded well to unauthorized access of its Clinical Information System, but was slow in detecting the breach, says P.E.I.'s privacy commissioner.
Last fall Health PEI revealed that an employee had been accessing patient records without authorization for three years, snooping into the files of 353 people. The employee, a personal care worker, was fired.
P.E.I. Information and Privacy Commissioner Karen Rose issued her report on the breach last month. Rose found that while Health PEI conducts random audits of employees and their use of the system, that it took three years for this breach to be uncovered showed those audits were inadequate.
"There is room for improvement in their auditing process, for better detection of snooping," Rose wrote in her report.
"I recommend that Health PEI conduct a careful analysis of its auditing process."
The employee's unauthorized activity was eventually detected by an audit requested by a nurse manager who noticed some unusual activity.
Snooping could have been mitigated
Rose also found in this particular instance there was an opportunity to limit the amount of information the employee had access to.
The employee had previously been a licensed practical nurse. Changes in education qualifications in 2014 meant the employee could not carry on as an LPN, but the employee did continue to work as a PCW.
The employee's log in credentials, however, were not changed. They were able to log-in as an LPN until they were dismissed
"If the employee's access to the CIS had been changed to that of a PCW, they would have had access to less personal health information," wrote Rose.
The employee was also able to update some charts, and made 835 changes.
No evidence of malice
The employee never revealed a reason for the unauthorized use of the CIS, but both Health PEI and Rose believe the information was not disseminated, and both reached similar conclusions about why the employee continued to use the CIS when their duties did not allow it.
"[There is] no evidence of malicious altering of information," wrote Rose.
"The employee most likely continued the charting practices that they had established in their previous role as an LPN."
While Rose had some recommendations for improvements, she found Health PEI behaved well in informing the victims of the breach and in its communications with employees after it was discovered.
"The actions of Health PEI to remediate this breach have been thoughtful, and their efforts at training and education are reasonable," she wrote.
Rose thanked Health PEI for carrying out its responsibilities and for its co-operation during her investigation.