N.W.T.'s medical record system under the microscope after 2 reported cases of snooping

Medical records are among the most sensitive pieces of information that a government agency keeps on citizens. But these records are not impervious to snooping, as evidenced by two distinct cases reported this year by the Northwest Territories Information and privacy commissioner. 

The privacy commissioner issues reports on cases in which an investigation yields evidence of intentional and unauthorized access to private health information, commonly known as "snooping." 

This year, commissioner Andrew Fox publicly reported two distinct cases of snooping in electronic medical records. They both involved employees of the Northwest Territories Health and Social Services Authority (NTHSSA). 

Taken together, the cases illustrate vulnerabilities in the NTHSSA's electronic medical record (EMR) system. According to at least one expert, the EMR system doesn't appear to meet the highest ethical standards for patient privacy.

An EMR is a digital version of a patient's medical history. It can include things like test results, X-rays and prescriptions.

One of the cases published online this year by the privacy commissioner involves an instance in 2021 of an administrative clerk with NTHSSA deliberately opened a person's EMR and relayed some of their private health information to another person. The clerk did this "without consent and without lawful authority," wrote Fox.

The clerk admitted to wrongdoing during an NTHSSA investigation, and was fired some months later. 

Fox called this a "particularly egregious, intentional privacy breach." He said the health authority's response was appropriate, but that the agency should have revoked the employee's EMR access as soon as it confirmed the breach. 

The health authority uses "role-based access" to the EMR system, meaning an employee's access is limited to what is necessary for their role. 

Fox noted that on occasions when the clerk was assigned to other roles, the NTHSSA didn't restrict her EMR access in accordance with those roles. 

'I felt incredibly violated'

The second case published this year involved two NTHSSA employees who, on multiple occasions, snooped in the medical records of a patient who wasn't in their care. The employees were siblings and the patient had previously been in a relationship with one of them.  

It wasn't until the patient filed a "record of activity" request in July of 2023 — a report on who had looked at her EMR — that she learned of the breach. 

"I was disgusted. I felt incredibly violated," said Maryse Gravelle, the patient who had her medical records snooped.

"Our financial institutions have software in place to identify when there's a fraudulent charge possibly being made on our accounts," she said. "How can a banking institution have those sorts of safeguards in place, but there's no alerts on hospital software, on emergency medical records, to alert when there's a suspicious action in somebody's chart?"  

In his report, the privacy commissioner said the siblings' jobs granted them "broad access" to the EMR system. Their motivation for opening the patient's records seems to have been "curiosity proceeding from a personal relationship."

Fox called the privacy breach a "deliberate and serious breach of trust," and said it caused the patient "significant distress."

Both siblings admitted to misconduct, were suspended without pay for 10 days and had their EMR access revoked for at least 18 months. 

The health authority is required by law to notify a patient about a breach of their medical records "as soon as reasonably possible."

In a statement, NTHSSA CEO Kim Riles said the health authority must investigate all reports of privacy breaches, and upon completion of an investigation, notify the affected people.

"At times, the investigation process can take a significant amount of time," wrote Riles. She added the NTHSSA is reviewing its practices and "has committed to ensuring the notification occurs as soon as a privacy breach is confirmed, regardless of whether a full investigation has been completed."

She said the agency accepted the privacy commissioner's recommendations and continues to improve and update mandatory training.

Auditing EMRs 'a real challenge'

Livia Kurinska-Hrdlickova is the territory's chief health privacy officer. She said routine audits check for suspicious activity in the EMR system, which if found, is flagged to the health authority. 

But Fox told CBC that auditing EMRs for instances of unauthorized access is "a real challenge." 

"If you looked at some random sample of employees looking at health records, there's really nothing that you could infer from the fact that a lab assistant looked at someone's medical record," he said. "You couldn't tell whether that was authorized or not." 

Neither of the two snooping cases Fox published this year were flagged by a routine audit.

Kurinska-Hrdlickova explained that an employee with role-based access to the EMR system has gone through mandatory privacy training, and taken an oath of confidentiality. They need a patient's first and last name, and their date of birth or health-care number, to open their medical record. 

The system also relies on trust that employees with access will only use the EMR system when it's required for their work on a specific case.  

"Any system across Canada is not perfect," said Kurinska-Hrdlickova. "You never go to a zero risk, right? Because that's impossible." 

EMR system not structured 'according to ethics': expert

As Fox noted, NTHSSA extended trust to the employees with EMR access, and the employees breached that trust.

Eike Kluge, a University of Victoria biomedical ethics professor, said in the case of the siblings, the EMR system shouldn't have allowed them to open Gravelle's record in the first place. 

"There should be a challenge. Justify who you are and what right you have to access that record," he said.

Kluge said the system shouldn't just flag improper access, it should prevent it.

If the system isn't blocking improper access, "it's not properly structured," he said. "Certainly not according to ethics."

Kurinska-Hrdlickova disagreed with Kluge's assertion and said the territory's EMR system complies with territorial privacy legislation. 

She also said the territory's EMR system is set to be replaced in the near future, and that the new system will have even stronger privacy protections. 

There isn't readily available data on the prevalence of medical record snooping in the N.W.T. or in Canada.

Any resident who's concerned about the privacy of their health information can file an access to health information request online.