Office of the Information and Privacy Commissioner
November 9, 2016

Office of the Information and Privacy Commissioner - Report PH-2016-001 Released

The Information and Privacy Commissioner, Donovan Molloy, has released his Report PH-2016-001 under authority of the Personal Health Information Act (PHIA). A summary of the Report is included below.

To view the Report in its entirety, please go to www.oipc.nl.ca/reports/commissioner

Summary:

An intentional privacy breach occurred at Eastern Health when an unknown person inappropriately accessed and printed personal health information from the Meditech account of a doctor at Eastern Health. This information was then anonymously sent to the Department of Health and Community Services and the College of Physicians and Surgeons. It could not be proven who committed the breach, so no charges were laid under section 88 of the Personal Health Information Act. The Commissioner found that Eastern Health had taken reasonable administrative and technical security measures to protect personal health information as required by section 15 of PHIA. This breach appears to have been outside of Eastern Health's control and perpetrated by someone who chose to ignore clear rules and policies regarding the protection of personal health information. This person was able to inappropriately access the information through the account of another doctor when he inadvertently failed to log out of his computer session, contrary to Eastern Health policy. The Commissioner recommended that Eastern Health review best practices for automatic log out times and implement an appropriate standard consistent with privacy best practices and professional practice requirements. The Commissioner also recommended that Eastern Health remind employees of the importance of logging out of computer sessions and of the consequences for failing to do so.

- 30 -

Media contact:

Donovan Molloy, Q.C. Information and Privacy Commissioner 709-729-6309

2016 11 08             9:40 a.m.