Manitoba employee accesses personal health information of patients without authorization

Breach of patient information called 'deeply regrettable'

Manitoba employee accesses personal health information of patients without authorization

A worker employed by Manitoba’s Shared Health was found to have, for months, accessed personal health information of patients without authorization. 

The worker is no longer employed by Shared Health, the employer said on Friday.

The worker – a clinical staff member at Health Sciences Centre (HSC) – gained unauthorized access to the information of about 360 patients between August 2023 and March 2024, the employer found in an internal investigation.

“Shared Health takes the safety and security of patients’ personal information very seriously, with a number of protocols in place to detect inappropriate access of private patient information. It is deeply regrettable that patient privacy was breached,” said Christina Von Schindler, Shared Health’s chief privacy officer. “In this case, the protocols were effective, with the snooping detected, investigated and the individual responsible held accountable for their actions.”

Shared Health has informed Manitoba’s ombudsman of the breach. It has also informed hundreds of affected patients of the incident.

“Affected patients were encouraged to reach out to Shared Health’s privacy office if they wish to discuss the matter. They were also given information on how to receive a record of user activity on their electronic health record,” said the employer.

Recently, the federal government released its first-ever Enterprise Cyber Security Strategy, detailing how it plans to improve cyber security across government departments and agencies.

History of data breach at Shared Health

Shared Health has been a victim of a data breach at least twice in the past, according to a CBC report. 

In 2016, an HSC employee inappropriately accessed a paper file from HSC containing 1,000 patient records. Weeks later, a health-care worker was caught snooping on records of about 200 patient health files.

In a statement, Shared Health noted that all of its employees are required to complete mandatory training on the appropriate use of personal health information. Every employee must also sign a pledge to observe their obligations under the Personal Health Information Act (PHIA) and Shared Health policies on appropriate use of confidential data systems.

“This training is repeated every three years to ensure staff’s knowledge is up to date. Employees are also subject to regular routine audits of their activity in the electronic health record systems that they have privileged access to,” Shared Health.

Some employee personal information was compromised at retail and pharmacy chain London Drugs in April, the employer recently confirmed.

How do you handle a data breach in healthcare?

When it comes to handling a data breach in healthcare, an incident response plan is essential, said Jen Stone, security analyst, via Security Metrics.

“A well-executed incident response plan can minimize breach impact, reduce fines, decrease negative press, and help you get back to business more quickly. In an ideal world, you should already have an incident response plan prepared and employees trained to quickly deal with a data breach situation,” he said.

For employers that have no such plan, “employees scramble to figure out what they’re supposed to do, and that’s when mistakes are made,” he said. “For example, they may wipe a system without first creating images of the compromised systems to learn what occurred and to avoid re-infection.”

To respond to a data breach, employers must preserve the evidence, contain the breach, and investigate and fix their systems, he said.

“Practice and review your incident response plan with annual tabletop run-throughs and simulation training. If you don’t have a plan, make this a top priority,” said Stone.

“With a solid and practiced incident response plan, you and your staff will be ready to stop patient data from being stolen, mitigate further damage, and restore operations as quickly as possible.”

The technology skills gap causes a lot of concern for employers, especially when it comes to cybersecurity, according to a previous report from Mercer.