Saskatchewan

Doctors snooped on Humboldt Broncos' records, privacy commissioner finds

Saskatchewan's privacy commissioner has found seven people inappropriately gained access to electronic health records of Humboldt Broncos team members involved in a bus crash last April.

6 doctors, 1 office employee inappropriately looked at records

Sixteen people died and 13 were injured in April 2018 when the Humboldt Broncos team bus and a semi-truck collided near Nipawin, Sask. (Jonathan Hayward/Canadian Press)

Saskatchewan's privacy commissioner has found seven people inappropriately gained access to electronic health records of Humboldt Broncos team members involved in a bus crash last April.

Sixteen people were killed and 13 were injured in the crash between the junior hockey team's bus and a semi trailer at a rural Saskatchewan intersection.

"Due to the high-profile nature of the crash, eHealth Saskatchewan understood the risk of snooping," said a report from information and privacy commissioner Ronald Kruzeniski.

The report said the health agency began monitoring the profiles of the patients — which include lab results, medication information and chronic diseases — three days after the crash.

The wreckage of a fatal crash outside of Tisdale, Sask., is seen in April. A privacy report says medical records of crash victims were inappropriately accessed by people in the health care system. (Jonathan Hayward/The Canadian Press)

eHealth found that in April and May of 2018, a number of users of the electronic health record viewer, mostly physicians, accessed information about crash victims without having "a legitimate need-to-know."

The report shows eHealth reported the breaches to the privacy commissioner on July 5.

Privacy commissioner 'disappointed'

Kruzeniski said he's disappointed that the doctors and the office manager inappropriately looked at the records.

"This has been a major tragedy in our province and I'm disappointed that people got tempted," he said in an interview with The Canadian Press on Monday. "Now that it's happened, it's my job to work with others through education and legislative change [to] make the system work."

His report, which has been posted online, detailed the privacy breaches.

In one case, an employee of a medical clinic examined the health information of three people involved in the collision.

The office manager admitted she consulted the records because "her family members had heard one of the individuals had died and she wanted to verify the information; she thought another individual was a patient ... [and] she wanted to verify a detail that was reported by the media about one of the individuals."

The report said the employee's access to eHealth was suspended and she was given further training, but she has since resigned from her job.

Another case involved a doctor at a Humboldt clinic who viewed the records of two people, including one who was a patient prior to the crash.

"Dr. D wanted to know what injuries the individual sustained, if the individual received care or if it was an instant fatality," said the report. "For the other individual, it explained Dr. D was concerned."

Emergency care doctors among those reviewing patient records

Other cases included three doctors who provided emergency care at the Nipawin Hospital and who reviewed patient records of those they treated.

"They believed they were in the individuals' 'circle of care,"' said the report.

The privacy commissioner said the province's Health Information Protection Act does not address circles of care so the doctors were no longer authorized to access the records.

During the monitoring period, two medical residents were found to have looked at the records of one of the people involved in the crash when the residents were reviewing the records of dozens of patients with a particular illness.

Monthly privacy audits recommended

In his report, Kruzeniski has made a number of recommendations to eHealth — including that it conduct regular monthly audits for the next three years of the physicians who inappropriately gained accessed to information.

Kruzeniski also recommended that the organization comply with a need-to-know principle rather than a circle-of-care concept and that it develop a solution to force users of the system to regularly review their training.