Investigation finds Alberta Health Services failed to protect private patient data

Oct 18 2018, 9:31 pm

Both Alberta Health Services (AHS) and a former Alberta Health Services employee are under the gun after over 12,000 people had their private information improperly accessed between 2004 and 2015.

According to a release from the Government of Alberta, a two-year investigation found that AHS “failed to ensure the employee was aware of and adhered to safeguards to protect health information.”

See also

In September of 2016, it was announced by AHS that over 12,000 people in Alberta Netcare had their health or demographic information viewed by someone who had been previously employed with the Netcare Person Directory and who had worked at the Alberta Hospital in Edmonton.

The former employee in question had concerns raised about them by coworkers on multiple occasions between March 2014 and July 2015, according to the release, and upon hearing that their information had been improperly accessed, over 30 people filed complaints to the Office of the Information and Privacy Commissioner (OIPC), which was conducting the investigation.

These complaints, alongside the concern for how the former employee’s improper actions had gone on undeterred for so long, spurred the OIPC to investigate AHS itself. The results of that investigation were published in a report, released on October 17.

“As was the case with an investigation report my office issued last year into AHS employees who improperly accessed health information of a woman and her daughter at South Health Campus in Calgary, this investigation highlights a significant breach of privacy where the focus of the investigation shifted from the employee to AHS’ implementation of safeguards,” said OIPC Commissioner Jill Clayton in the release.

“This report should be a wake-up call for anyone responsible for protecting Albertans’ health information, alerting them to the potential consequences if they fail in their duty to implement and maintain reasonable safeguards to protect health information.”

New amendments have been put forward in the Health Information Act (HIA) as of August 31 that would see “a person who fails to take reasonable steps in accordance with HIA regulations to maintain safeguards to protect against reasonably anticipated threats to the security of health information” fined for no less than $200,000.

It was also recommended in the report that AHS focus on HIA awareness training and that they conduct internal audits of their auditing processes.