Hospital confirms breach of privacy
Patients notified staff 'inappropriately' accessed their information
Sarah Ladik
Northern News Services
Thursday, May 12, 2016
INUVIK
The Beaufort Delta Health and Social Services Authority has confirmed 67 patients have been notified their information was compromised.
Director of quality improvement and health services Stacey Christie, left, hospital CEO Arlene Jorgensen, and manager of clinics and client records Nichole Whitcomb speak to media May 9 at the Inuvik Hospital about a privacy breach last year and what has been done to rectify the situation. - Sarah Ladik/NNSL photo
|
"It's really important for us to be as transparent as we can in managing this breach," said Inuvik Regional Hospital CEO Arlene Jorgensen May 9.
She also confirmed the breach was the result of staff accessing information in a "repeated and inappropriate" manner that was "outside a legitimate scope of duties."
"We have no tolerance for deliberate breaches," Jorgensen said. "And have taken the appropriate actions."
She said she could not comment on who the staff members are, how many breaches there were or what disciplinary actions were taken against them. Jorgensen did say that any time a Union of Northern Workers member is disciplined, the union is involved and the scope of action for any employee runs from verbal discipline to termination.
Sixty-seven patients were notified their information in a data-management system had been inappropriately accessed after a complaint triggered an investigation last October. That system, called MediPatient, records information akin to a sign-in book, said Nichole Whitcomb, manager of clinics and client records for the hospital.
"MediPatient is the registration portal for all patients," she said, adding that while visits and status are tracked, as well as visits to the lab and diagnostics, results are not. "It's not a place where we're storing a lot of individual information."
As a result of the incident, the authority has been presented with an extensive list of recommendations, some of which they implemented pre-emptively, such as staff-wide privacy training. Jorgensen said there have also been reviews conducted of and changes made to the controls for MediPatient, as well as a new standard operating procedure implemented.
The list of recommendations includes 46 items ranging from ensuring that all staff who access the system be trained in protection of privacy - and making such training mandatory - to implementing more checks and balances within the computer system itself.
Jorgensen admitted that even with the changes, no system is completely safe but with better management practices, the risks can be mitigated.
She also said the investigation has brought forward conversations about the difference between confidentiality and privacy. As the Drum reported previously, Jorgensen maintained no information was shared outside the hospital.
"There was a lot of awareness already," she said. "But that awareness is broader now."
