N.W.T. health worker fired for improper access of patient records
The Northwest Territories Health and Social Services Authority (NTHSSA) fired one worker for improperly accessing a patient’s medical record, according to a CBC report.
An administrative clerk at NTHSSA accessed a patient’s electronic medical record (EMR) in 2021 and disclosed private information to an unauthorised individual, reported CBC.
Northwest Territories Information and Privacy Commissioner Andrew Fox labelled the breach as “deliberate,” adding that it occurred “without consent and without lawful authority.”
The clerk later admitted to the misconduct during an internal investigation and was subsequently terminated.
Fox described the incident as a "particularly egregious, intentional privacy breach," according to CBC. While he acknowledged that the health authority’s response was appropriate, Fox said the agency should have revoked the employee’s EMR access as soon as the breach was confirmed.
Nova Scotia Health had previously fired one of its workers for inappropriately accessing the personal health information of over 2,000 patients at one hospital.
In a more recent case, a pair of sibling employees at NTHSSA accessed a patient’s EMR without authorisation or clinical justification.
One of the employees had previously been in a relationship with the patient, Maryse Gravelle.
The breach came to light when Gravelle requested a "record of activity" report in July 2023, which detailed who had accessed her EMR.
"I was disgusted. I felt incredibly violated," Gravelle told CBC.
Fox described the incident as a “deliberate and serious breach of trust,” noting that it caused the patient “significant distress.”
Both employees admitted to the misconduct. They were suspended without pay for 10 days, and the NTHSSA revoked their EMR access for a minimum of 18 months.
Despite the disciplinary measures, Gravelle questioned the adequacy of security protections in place for patient data.
"Our financial institutions have software in place to identify when there's a fraudulent charge possibly being made on our accounts," she told CBC. "How can a banking institution have those sorts of safeguards in place, but there's no alerts on hospital software, on electronic medical records, to alert when there's a suspicious action in somebody's chart?"
Meanwhile, the NTHSSA is reviewing its practices and “has committed to ensuring the notification occurs as soon as a privacy breach is confirmed, regardless of whether a full investigation has been completed,” said CEO Kim Riles in the same report.
Previously, a mistake by one employee caused a massive data breach at the Canada Border Services Agency (CBSA). In February, personal and workplace details of approximately 18,000 employees of the government agency were mistakenly shared with 70 managers in an internal email, reported the Vancouver Sun.
Mara Calvello, content and communications manager at business software and services review firm G2, said implementing strong data risk management protocols is essential for organisations looking to avoid breaches.
“Effective data risk management involves identifying, assessing, and mitigating potential risks to an organisation’s data. By implementing strong data governance frameworks and regular risk assessments, organisations can proactively address potential threats such as cyberattacks, data leaks, and insider threats.”
“It also includes establishing clear protocols for data protection, encryption, and security controls, ensuring that sensitive information is secure. A comprehensive risk management approach helps organisations not only prevent data breaches but also minimise the financial and reputational damage caused by incidents when they do occur.”
