Vancouver's health authority is assuring patients their privacy is secure after firing a clerical employee who admitted to sneaking a peek at the medical records of five local media personalities.
The female staff member, who had worked for Vancouver Coastal Health for several years, accessed the files through the authority's electronic records system on multiple occasions in October and November.
The breach was picked up in a routine audit. When confronted, the worker said she snooped out of "curiosity," but did not share any of the information verbally or by email.
Her job was terminated on Wednesday, and the people whose files were compromised were notified. Their names and media outlets have not been identified, but a health authority spokesman said on Thursday "many Vancouverites would know who they are."
Vancouver radio station News1130 has reported one of its "well-known media personalities" was among the group.
"We get celebrities through our hospitals on a regular basis that nobody ever hears or knows about," said authority spokesman Clay Adams. "So we want to reassure the public that their privacy is respected and it is protected."
By looking at the files, the woman violated a confidentiality agreement that was a signed part of the authority's terms of employment.
President and CEO Dr. David Ostrow has apologized in a public statement to both the people impacted and also to all patients, clients and residents, saying the incident violates the trust people place in the authority.
Its privacy officer is examining whether further measures can be taken to prevent future transgressions.
"We're clearly looking to see if there is more we need to do. But it's hard to prevent human nature," Adams said. "(It was) someone very clearly doing something outside of their work realm."
B.C. Privacy Commissioner Elizabeth Denham was also notified of the breach on Wednesday, and launched an investigation.
"It is deeply troubling when an employee who has legitimate access to personal information on the job abuses that privilege," she said in an email statement. "What is most concerning about this case is that it involves sensitive, personal health data."
Secure and controlled access to such data is fundamental to building and maintaining trust in the health-care system, she added.
The office will work with the authority to mitigate current and future risks, Denham said.
Hundreds of employees have access to the medical files of more than one million people in the regions covered by Vancouver Coastal Health, which also includes Richmond, North and West Vancouver and parts of the Sunshine Coast and Sea-to-Sky corridor.
The improper access was discovered when the authority's privacy office was conducting its monthly audit specifically aimed at ensuring that all employees, including doctors and nurses, only access files they are authorized to do so.
The audit randomly selects patient files who have a "do not announce" designation, and looks at who accessed the file and then examines whether it was proper. Anyone who enters a hospital can ask to have their file marked with the heightened level of privacy designation, but other staff members can also impose the label if they believe it is appropriate.
"It would draw flags if the person may have looked at a file where the person wasn't receiving care," Adams said.
Adams said in this particular incident two files that should not have been opened were caught. The privacy office then cross-referenced other files the worker had accessed and came up with three more breaches.
He said any time a staff member accesses a patient file in the electronic records system, a computer prompt pops up asking the worker if they are an authorized viewer. In this case, the worker would have had to select "yes" before gaining the file.
News1130 declined to give comment.
Last fall, B.C.'s privacy commissioner opened an investigation into the loss of a Vancouver Coastal Health laptop computer containing the health records of 450 patients at Toronto's airport.