Stanton doctor loses medical info for more than 4,000 patients
USB stick containing personal information and doctor correspondence reported missing Nov. 13
Randi Beers
Northern News Services
Published Friday, November 28 2014
SOMBA K'E/YELLOWKNIFE
Elaine Keenan-Bengts, the territory's information and privacy commissioner, is opening an independent investigation into how a doctor at Stanton Territorial Hospital lost a USB stick containing personal information for more than 4,000 patients earlier this month.
The doctor, whose name the authority is withholding, reported the memory stick missing Nov. 13. Hospital staff spent four days searching for it before declaring it lost. It contains the names, dates of birth and health care numbers for 4,043 Stanton Medical Clinic patients, as well as 52 patients' consult letters.
Consult letters are correspondence between doctors that discuss a patient's diagnosis, prognosis and treatment options.
"It concerns me that protocols were clearly not followed, this is not the way it's supposed to be done," said Keenan-Bengts.
"You can never 100 per cent avoid human error but some basic, basic, basic protocols, if followed, would have prevented this."
The authority contacted her about the incident Nov. 19.
Stanton Territorial Authority has not yet decided whether it will take any disciplinary action against the doctor.
According to Brenda FitzGerald, CEO of Stanton Territorial Health Authority, the doctor took a USB stick that was being used by other staff to archive patient information out of a locked drawer and used it to transfer consult letters.
"The physician was not aware of what was already on the stick," she said.
The device was not encrypted, which means anybody who finds it can access the data easily.
FitzGerald said the doctor can't definitively say whether the USB stick was left the hospital or say for sure where he last saw it.
"We just don't know that," she said, adding the hospital does not have any evidence the information has been found or used inappropriately.
FitzGerald said staff will undertake a full review of the incident. In the meantime, she has directed staff to stop using unencrypted information storage devices. She confirmed it is "inconsistent" with hospital policy to store and transfer medical data on such tools.
The territorial Health Information Act, passed in March, obligates Department of Health and Social Services (HSS) employees to take administrative and technical safeguards for the protection of patients' health information. Failing to comply with the act is an offense punishable by a fine of up to $50,000.
However, this doctor can not be held accountable under the act because, according to Keenan-Bengts, it won't be fully implemented until sometime next year.
"There is still a lot of work to be done including education," she said.
"Is this a situation where discipline should be meted out? Yes. That said, this is not one of those instances where it was deliberately done - it was a mistake."
FitzGerald said Stanton Health Authority will also conduct an internal review of the incident.
"The review includes a look at compliance to policy and procedures and other elements as well," she said.
"We will take appropriate action in follow up to that, but we also took immediate action as soon as this situation was discovered."
The immediate action taken by the hospital included announcing the privacy breach publicly on Nov. 27.
The people whose names, dates of birth and health care numbers have been compromised visited the hospital at least five years ago.
This could make the process of informing them complicated, FitzGerald acknowledged.
"That is something we are working on," she said.
"We will make every effort to contact these individuals."
The patients whose information was lost are from throughout NWT, as well as the Kitikmeot region of Nunavut.
FitzGerald said their information was taken from the hospital's computer system and put on a the USB drive because the hospital is in the process of archiving files.
The 52 consult letters added by the doctor who lost the USB are recent and belong to active patients of the hospital.
This is not the first time NWT resident's health information has been lost.
Earlier this year, HSS staff at an Inuvik office mailed 196 health care cards to wrong addresses. Eighty six of those cards are still missing.
The department maintains this was an isolated incident and has committed to monitoring the cards for one year for any suspicious activity.
In a recent interview with Yellowknifer, Daniel Williams, senior call-taker supervisor at the Canadian Anti-Fraud Centre, said it's possible to commit identity fraud with a stolen health card and advised anyone whose card is missing to immediately call the RCMP to report it stolen.
"If you lost a health card, it could absolutely be bad for you," he said.
"It's very important to report it to the local police and the agency that issued the card so they can get it on file."
Identity theft is the "most massive" form of fraud affecting North America, said Williams.
In her annual report for 2012-2013, Keenan-Bengts wrote that year was the "year of health privacy concerns." She made a total of seven recommendations to HSS focusing on the collection, use or disclosure of health information in her report.
Keenan-Bengts told Yellowknifer she believes this incident will be a "wake-up" call for Stanton Territorial Health Authority.
"I've said it before and I'll say it again - once privacy has been breached it's been breached," she said.
"There's nothing they can do to undo what's been done. The USB is lost."
Keenan-Bengts said she expects to publicly release a final report from her investigation in the next several months.
Whether or not the health authority will make its internal review available to the public will be decided as part of that investigation.