Can entities name rogue employees in disclosing a breach? Maybe.
I’ve often commented how entities shield the names of rogue employees or contractors. Here’s a letter to an editor from Ann Cavoukian, Information Privacy Commissioner for Ontario, about the paper’s coverage of an insider privacy breach:
Your article suggests the North Bay and District Hospital was unable to reveal to patients the name of the nurse who had inappropriately accessed their files. Why?
The reason given was the privacy of the nurse. To be clear, in my orders under the Personal Health Information Protection Act (PHIPA) I have consistently said that an individual whose health record has been accessed by an unauthorized staff person has a right to know how the organization has responded to the breach.
Privacy considerations do not prevent the identity of the staff member responsible for the breach being disclosed to the affected individuals.
In this case, there were most likely other reasons why the hospital chose not to identify the responsible nurse, for example, their human resources practices. However, privacy is not the problem – it does not present a barrier to such disclosure.
Information Privacy Commissioner
Update: The paper now reports that the hospital will reveal the name – but only to those who have received notification letters.