Northern Canadian hospital confirms staff wrongly accessed patient records

Security experts emphasize that organizations have to limit access to databases with sensitive information. However, they also have to carefully design information systems themselves so sensitive data doesn’t appear on screens users have legitimate reasons to see.

That appears to have failed at a health authority in Canada’s far north, which confirmed Monday that employees inappropriately accessed patient health records through an online scheduling system in what appears to be a case of employee snooping.

CBC News reported that some staff the Beaufort-Delta Health and Social Services Authority, which serves 6,700 residents of the Beaufort Delta Region in the Northwest Territories including the Inuvik Regional Hospital have been disciplined for wrongly accessing records of  67 patients.

The information “had been inappropriately accessed by staff outside a legitimate scope of duties,” Arlene Jorgensen, CEO of the Inuvik Health Authority, was quoted as saying.

The institution’s scheduling system includes expected information such as appointment times and check-out dates. But it also lists the reason patients were at the hospital. Several staff members who had accessed this information did not need it to do their jobs, according to the health authority.

The authority emphasized that detailed information, such as diagnoses were not accessed during the breach.

Last month the federal privacy commissioner warned that “employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization.”

Some staffers snoop out of curiosity; others, like those at a Toronto-area hospital, used data from its electronic patient system to sell Registered Education Savings Plans to new mothers, or sold data on new mothers to a firm that sold RESPs

In case you didn’t get the privacy commissioner’s report, here’s a link. He suggested 10 ways organizations can eliminate employee snooping including:

–Fostering a culture of privacy;

-Have periodic and/or “just-in-time” training and reminders of policies around snooping;

–Ensure employees know that consequences will be enforced. That includes having employees sign (upon hiring and at regular intervals) confidentiality agreements;

–Ensure access is restricted to information required to perform the job.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now