Privacy breaches point to training issue: Sunshine

Several recent health information privacy breaches – including one involving 500 patient files at Lakeridge Health in Oshawa – demonstrate that better training of frontline staff is needed, says Toronto health lawyer Elyse Sunshine.

“These investigations into breaches are time-consuming and cost money, so it’s better to do it at the front end and train people, so as to avoid having to spend money at the back end to clean up the problems,” she tells the Toronto Star.

Sunshine, partner at Rosen Sunshine LLP, advises health professionals and clinics on privacy issues.

She was quoted in a newspaper article that outlines a series of such breaches, the most recent of which involves 14 staff members who inappropriately accessed 578 patients' files in the mental health program at Oshawa's Lakeridge Health, which included mental health patients and staffers' own family members. The hospital said the breaches occurred over a period of a decade, says The Star.

Lakeridge's administration said the hospital’s electronic audit system detected an inappropriate access to one patient’s file in June and that prompted a wider review which revealed the numerous breaches dating back to 2004. To conduct the in-depth investigation, the hospital collaborated with the provincial Information and Privacy Commissioner, reports the newspaper.

It ended last month and patients were notified of the breach by mail on Nov. 24, says the article.

The hospital has indicated the 14 employees were disciplined, but hasn't revealed their specific positions; a hospital official also says the employees had apparently accessed the files out of curiosity or concern for particular patients, says the newspaper.

"Acting Commissioner Brian Beamish said that his office opened a file last August after being contacted by Lakeridge, saying 'Lakeridge Health did take steps to advise us of the measures it had or would be taking to minimize or reduce the risk of a similar incident in future, and in these circumstances we were satisfied with their actions,'" says The Star.

In recent months, there have been similar breaches reported at Toronto-area hospitals. In November, former clerk Shaida Bandali was charged by the Ontario Securities Commission with selling securities without a licence for allegedly providing medical records of new mothers at Rouge Valley Centenary Hospital in Scarborough to financial companies, such as those selling Registered Education Savings Plans, says the newspaper.

As well, The Ontario Court of Appeal is set to hear arguments on whether patients can sue hospitals for invasion of privacy; a Dec. 15 hearing stems from a class-action lawsuit launched by patients whose files were wrongfully accessed in 2011 and 2012 at Peterborough Regional Health Centre, says The Star.

To Read More Elyse Sunshine Posts Click Here