In the first seven months of mandatory healthcare sector data breach reporting in Alberta, the province’s privacy commission was notified of 674 incidents, well over what it expected.
That and other nuggets of information were released this week in the annual report of Alberta’s information and privacy commissioner Jill Clayton covering the period April 1, 2018 to March 31.
Until August 31, 2018 the healthcare sector only had to voluntarily report violations of the provincial Health Information Act (HIA). But by the end of the first full year, well over 1,000 violations had been reported, about double what had been expected.
A significant number of these cases, Clayton’s report says, involve “willful disregard of the law, and affecting, in some cases, hundreds if not thousands of Albertans.”
Many are incidents of staff snooping through electronic medical records of partners, ex-partners, relatives or friends.
In 2019 four people were convicted of violating the HIA. The most recent was in October, when a former billing clerk with Alberta Health Services was fined $8,000 and sentenced to one-year probation and pleading guilty to unlawfully accessing health records of 81 people. In August another provincial health department billing clerk was fined $5,000 for accessing the records of 52 people.
In September a medical office assistant at a family clinic was fined $3,500 for accessing files of two people. And in January an assistant at a private laboratory was fined $3,500 for illegally accessing the records of 11 people.
In several of the cases, the accused were caught by routine digital audits of who was accessing records. In an interview, Clayton said such audits are a prime way of stopping employee records from snooping. However, she admitted older health records systems still being used by some health facilities may not have that capability.
Aside from regular access audits institutions need to remind staff that snooping is unacceptable and there will be consequences, she added.
As for private sector companies that have to report data breaches under the provincial Personal Information Protection Act (PIPA), these were up 26 per cent over the previous year.
“We still see lots of breached that could be prevented,” Clayton said in the interview. There was a “steady percentage” of them related to human error, she added.
In particular, she pointed to stolen or lost unencrypted laptops and smartphones with personal data. Companies need to set down policies that if a staffer doesn’t need to put personally identifiable information on a mobile device, they shouldn’t. If it has to be done then the data must be encrypted.
Clayton was also surprised at the number of phishing-related data breaches. These are preventable if staff are trained to identify suspicious email and text messages, she said.
Phishing is enough of a problem that her office put out a warning notice to Albertans in May to watch for signs of scams.
Although not mentioned in the report, Clayton’s office has been investigating — in conjunction with the federal privacy commissioner — developer Cadillac Fairview’s use of facial recognition technology in its shopping malls. The investigation, which began in August, is into whether the company is collecting and using personal information without consent.
According to a statement from the federal privacy commissioner’s office, Cadillac Fairview says it is using the technology to monitor traffic, as well as the age and gender of shoppers and not to capture images of individuals.
Clayton closed the interview with this advice to Alberta organizations covered by provincial privacy laws: “Beware there are all kinds of risks out there and that personal and health information has a value, and they have a responsibility to appropriately safeguard that information. But that responsibility does end with technical or administrative safeguards. There are other responsibilities — to make sure individuals know what’s happening with their information so they can take steps to protect themselves, to make decisions on who they want to provide personal or health information, whether they want to engage in online transactions.”