Manitoba Ombudsman has released an investigation report under the Personal Health Information Act (PHIA) related to the unauthorized disclosure of personal health information of 91 patients who received magnetic resonance imaging (MRI) scans within the Winnipeg Regional Health Authority (WRHA) between 2008 and 2016. The patients’ health information was disclosed in violation of PHIA to several media organizations.
The leaked records were associated with an audit conducted by the Office of the Auditor General of Manitoba (OAG). The OAG was given access to patients’ health information maintained in a diagnostic imaging database. Records prepared by the OAG during the audit were provided to the WRHA in 2016. These records were subsequently leaked by an unknown person or persons to several media organizations in April 2017.
“Manitobans seeking health care expect their health information to be protected and shared only for purposes authorized under PHIA,” said Acting Ombudsman Marc Cormier. “When an intentional privacy breach such as this one occurs, it takes away the control we have over how and with whom our personal health information is shared, and it erodes public trust in a system that is supposed to protect our privacy.”
The intentional violation of patients’ privacy through an unauthorized disclosure of personal health information constitutes an offence under PHIA, for which the offending person may be subject to prosecution and, if found guilty, may be liable for a fine of up to $50,000.
In light of the seriousness of this privacy breach, the ombudsman initiated an investigation under PHIA in April 2017. Our office subsequently received privacy complaints from some affected patients.
Our office initiated the investigation to:
-
determine what occurred in the privacy breach incident
-
attempt to identify the person(s) who committed the intentional breach (an offence under PHIA)
-
review the WRHA’s handling of the privacy breach, as the trustee of the personal health information of the affected patients
-
identify factors that may have contributed to the privacy breach
-
identify measures to reduce risks to personal health information and to strengthen privacy practices and compliance with PHIA
Our review found that the WRHA responded appropriately privacy breach. Our office was not able to determine the identity of the person(s) who made the unauthorized disclosures to media organizations, nor were we able to determine whether the breach originated within the WRHA. However, our review identified several measures that trustees should consider in an effort to minimize the risk of intentional or inadvertent privacy breaches in the case of bulk disclosures of personal health information. This investigation report contains our comments on the measures that we believe can strengthen privacy practices and compliance with PHIA.
The report is available here!
Source: Manitoba Ombudsman, Canada.