By Tyler Marr

Privacy commissioner criticizes SHA after more patient records faxed to Kelly’s Computer Works

Dec 12, 2018 | 5:00 PM

In his latest probe into misdirected faxes from the Saskatchewan Health Authority (SHA) to Kelly’s Computer Works in North Battleford, the provincial privacy czar said it is time for the “agency to get this issue addressed once and for all.”

For nearly two years, Kelly’s Computer Works has received faxes containing confidential patient information from the SHA. According to Privacy Commissioner Ron Kruzeniski’s latest report, Darryl Arnold’s company has received at least four confidential faxes since 2017, most recently on March 12.

Kruzeniski said in each case, the cause has been an employee incorrectly entering the fax number. The number for Kelly’s Computer Works and the file’s intended destination — a physicians office — are one digit apart. 

In its investigation into the latest breach, Kruzeniski said the SHA asked Arnold to delete the fax. It is here the commissar raised red flags, as Arnold indicated this was not an easy process, as the faxes are routed through two email servers, both of which retain back-ups.

“It would take many hours, and jeopardize the integrity of my email back up system, which currently has over half a million emails,” Arnold indicated, according to the report.

Missing pet

'She means the world to our family': Woman seeks help in finding missing pet parrot

17h ago

BE CAREFUL ON THE ROADS

Semi flips outside P.A.; one of dozens of incidents on Sask. roads due to winter weather

17h ago

NO GO FOR BUSES

School bus routes outside P.A. canceled due to spring snowstorm

22h ago

Kruzeniski said this was the first time his office learned the emails were being forwarded through private email servers and spoke to the inherent risks of moving personal health data through webmail servers, as not only could the information be stored outside of Canada, it is also disclosed to the webmail provider.

“[The SHA] cannot expect a private business to continue to clean up its errors,” he wrote in his report. “It appears the SHA has made efforts to contain the breach but the breach has not been contained. As long as there are copies and back-ups floating around, the personal health information remains at risk.”

In his report, Kruzeniski said his office was advised that the health authority was working on a project to eliminate faxing personal health information within the system, but a timeline for the implementation had not been established.

In September, he recommended the SHA implement its plan within the next six to 12 months, but in early October, the health authority responded and, according to the report, called the timeline “likely unrealistic considering the complexity of changing workflows and systems across the health system… however we will be advancing this priority as expeditiously as possible.”

Kruzeniski said he is “concerned with the timeline being undefined” given this is an ongoing issue, recommending the SHA provide a timeline to his office within the next six months and implement mandatory annual privacy training for all employees.

“I am not satisfied with how the SHA contained the privacy breach,” he wrote.

In an emailed statement, a spokesperson for the SHA said, as with any potential privacy breach, the incidents were reported to the privacy commissioner, investigated internally, and “any patient involved in a privacy breach was notified in writing.

“We are reviewing the privacy commissioner’s report, and have already begun to implement recommendations. Our first steps have included providing education to staff, as well as working with the specific clinic involved in order to reduce the risk of an error in the future,” they wrote. 

Concerning the recommendation to eliminate the need to fax personal health information, the SHA said it is “working jointly on a project with our health care partners, being led by eHealth Saskatchewan, that will promote the use of electronic alternatives and will reduce or eliminate faxing.”

Arnold described the entire experience as “truly disturbing” but did sympathize with SHA in regard to entirely phasing out faxing. He said initial conversations he was involved with hinted at the health authority nixing faxing by mid-2018 but to no avail.

“I can understand the difficulty in removing all the fax machines from all the health-related offices in the province and I wish them luck with that,” he said. “It just might take longer than both the privacy commissioner and the public are happy with.”

Throughout the entire ordeal, Arnold said he has always believed patient’s health care is suffering because doctors were not receiving results and information, to the point where he would forward on the papers upon receiving them.

While he said dealing with each misdirected fax was time-consuming, given his need to speak with privacy commissioners and media, he did give credit to the SHA for improving this process over time, noting the last number of incidents were dealt with in a timely manner.

“I think they are doing their best. They have a lot of employees and it is only a matter of time before no one faxes anyone anymore and it will get straightened out,” he said. “I am hoping that is the end of it.”

tyler.marr@jpbg.ca

On Twitter: @JournoMarr