Privacy commissioner criticizes Sask. Health Authority's handling of snooping nurse investigation

Saskatchewan's privacy commissioner has released a report on a registered nurse who snooped on patient records at a hospital in Yorkton.

The incidents took place at the Yorkton Regional Health Centre between November 2023 and May 2024. While working at the hospital, the nurse inappropriately viewed the medical records of 70 patients, accessing the system over 200 times, according to the report by Ronald Kruzeniski.

After an investigation by the Saskatchewan Health Authority (SHA), the nurse was terminated in October 2024. 

Kruzeniski's report, released March 31, stated that while the SHA investigated the breach appropriately, it failed on several counts to contain the privacy breaches and notify the patients involved. It also criticized the SHA for not sharing enough information proactively over the course of the investigation.

"After a review of the SHA's internal investigation report, it was apparent that it lacked sufficient detail for my office to fully investigate the matter," the commissioner said, before a series of back-and-forth communications between the SHA and the commissioner's office in January.

Kruzeniski also noted the SHA did not immediately provide audit logs and notes from meetings with the nurse that he requested for his investigation, leading to delays.

"Instead of providing all of the information requested, the SHA asked for the rationale or purpose of requiring the audit log and interview notes," the commission said in the report.

He said that contacting the nurse was at first met with similar resistance.

Over the course of the investigation, the commissioner determined that the nurse continued to have access to patient medical records while they were being investigated, inappropriately accessing them an additional 27 times after the internal investigation began.

Kruzeniski notes that while the SHA did contact the patients who had been impacted, it didn't adequately inform them of the harms that may come to them as a result of the breach. That prevented the victims from taking further actions to protect themselves from identity theft.

Moreover, the commissioner said, the SHA didn't tell the victims who snooped on their medical records, or that the person had been terminated as a result.

While the SHA found the snooper through an electronic audit, the commissioner found that those audits aren't routine and the SHA didn't have an official audit policy.  

Kruzeniski determined that the SHA should make several changes to its internal procedures by the end of April. In future investigations, it should block personal access to medical records once an employee is being investigated, institute regular auditing and provide privacy breach victims with more information about who viewed their information. 

The commissioner also said the SHA should better inform victims of who snooped on their information, notifying them within 10 days.

Finally, while the nurse was terminated, the commissioner said their actions were serious enough to be forwarded to prosecutors to determine if an offence had occurred under the Health Information Protection Act.