Letters are going out to 151 patients at Prairie North Health Region informing them of a privacy breach involving their personal information.
The employee involved in the breach was not involved in the patients’ medical care, but had improperly accessed the patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.
Prairie North was informed of the breach in November 2012 and after a lengthy and detailed investigation, the employee was terminated, according to Irene Denis, vice-president of people, strategies and performance at Prairie North Health Region.
“We would like to sincerely apologize to each of those impacted patients,” said Denis. “We consider the protection of personal health information to be of the utmost importance.”
The incident is now being disclosed in the “interest of openness and transparency” said Denis, with the patients being informed by letter.
According to Denis the breaches involved the Picture Archiving and Communications System, or PACS.
PACS is a complete system of medical imaging records including personal health information and digital diagnostic images for health care providers to use. It was implemented at Prairie North in 2009.
According to Denis, the employee who was fired was in Prairie North Health Region and had access to the system, and was involved in the care of other patients but not in the care of the patients whose information was accessed.
The information accessed was region-wide, said Denis, and would have mainly involved hospital records such as for CT scans and certain X-ray diagnostic imaging.
Prairie North learned of the breach internally when “suspicious activity” was reported to one of their managers, who then notified the internal privacy officer. The employee was terminated by Prairie North a number of months ago.
To prevent this from happening again, Prairie North says they have increased an emphasis on privacy and confidentiality with their employees.
“We have expanded our training and education of staff throughout the whole region, and our training focuses on staff and our organization’s responsibilities for privacy and confidentiality under the region’s policies and provincial legislation, including the Health Information Protection Act,” said Denis.
Staff have participated in these sessions and a deputy privacy officer has been hired to assist with the privacy work and education, and further policy development.
Also they have developed a policy and education plan to ensure that all managers responsible for maintaining and using the electronic applications at Prairie North are aware of their obligations to monitor on a regular basis and to report any concerns to their internal privacy officer for investigation, said Denis.
The health region expressed its confidence that the steps taken will reduce the risk of any repeat of what happened.
As for the investigation, this particular matter is now considered closed. Patients who were impacted or have concerns about the letter they receive from Prairie North are encouraged to call the health region to discuss the matter with someone there.