More transparency needed in Health Authority insider breaches
CBC News reports:
Health authorities in Labrador and central Newfoundland acknowledge they have disciplined workers for previously-unreported privacy breaches.
Last year, Central Health admitted to a serious breach of privacy involving 19 patients. The employee responsible was fired.
Since then, the board has not publicly reported any other breaches — until being asked by CBC News.
“We did not disclose two,” Central Health CEO Karen McGrath said. “While they were serious, we believed we had talked to, disclosed to the clients themselves, and felt it was not either in the best interest of the clients to actually publicly disclose this.”
McGrath says that both cases involved less than 10 patients. In one case the employee was suspended; in the other, the employee quit.
Central Health did inform the privacy commissioner, but had no intention of informing the public.
“I think that’s true for all the health authorities,” McGrath said. “We don’t disclose all breaches.”
Read more on CBC News.
And why should they disclose publicly if they don’t have to, right?
Even when they do disclose breaches – to patients or the public – full transparency may not be the order of the day for the health authorities. This week, I posted an item about a breach at Western Health Authority in Newfoundland. Western Health had reportedly fired an employee who improperly accessed over 1,000 patients’ records. Neither the media report nor a statement on Western Health’s web site addressed the employee’s motivation in accessing the patient records.
I contacted the health authority and asked for a statement about the motivation behind the access. By email, a spokesperson replied that they were not able to comment on the motives of the employee.
Why not? Do they not know? Or do they know but are refusing to disclose?
Those who are affected by a breach need to know sufficient details so that they can evaluate the risk of harm. An employee who’s snooping out of curiosity is one thing. An employee who is accessing records and possibly recording information to be misused subsequently is something else. Both are problematic – especially if the health records contain sensitive information – but how can patients assess the situation if important information is withheld from them?
The Western Health Authority did not name the employee, and I do not criticize them for that. But unless authorities are legally prohibited from disclosing more details about the breach, I think they not only should, but owe it to the victims of the breach to do so.
Because other breaches were not disclosed publicly, I do not know whether patients were provided with any explanation of those insider breaches. In at least one publicly reported case, they were. But the rest?
It seems that it’s not just the U.S. that needs a mandatory breach notification law that includes important elements of breach details.
Update: Apparently, the New Democrats agree more transparency is needed.