B.C. Information and Privacy Commissioner Elizabeth Denham.

VIP patient snooping among health privacy breaches

Privacy commissioner's report urges health authorities to tighten safeguards

Too many health authority employees inappropriately snoop in patient records and some deliberately disclose sensitive information via social media or cellphones.

That’s one of the most serious types of breaches flagged by B.C. Information and Privacy Commissioner Elizabeth Denham in a new report on how the province’s health authorities safeguard privacy.

The report cites “cases of snooping where staff members access records of VIP or other patients out of curiousity or for malicious intent.”

It uncovered four cases in 2013 of staff posting photos of patients to Facebook or Instagram, and three cases of doctors or nurses taking photos.

Another nurse commented on a patient’s health information on Facebook.

“The (privacy commissioner’s office) has serious concern regarding health authority staff deliberately disclosing the sensitive personal information of patients through their own mobile devices and on social media,” the report said.

The report doesn’t break down the number or frequency of incidents between B.C.’s health regions.

Denham’s office has received 200 privacy breach complaints over 10 years from health authorities but suspects that’s just one per cent of the actual number of incidents.

Misdirected faxes were the single most common type of privacy breach identified.

Lost or stolen records or mobile devices were most common among home health and community care programs.

Half of health authorities reported problems with home care workers leaving patient records unsecured in their cars against policy.

Fraser Health told Denham’s office its privacy officers notify affected individuals in almost every privacy breach, in addition to the health region’s CEO.

There is no legal requirement for disclosure in B.C.

Data held by health authorities includes personal identifiers, financial information, health conditions, test results, medication used, as well as information on patients’ physical, mental and emotional status, as well as lifestyle and behaviour.

Denham issued 13 recommendations for action to reduce the risk of future privacy breaches.