How common are “snooping” privacy breaches?

When it comes to privacy breaches in the healthcare sector, “snooping” is definitely a concern.

Snooping, or unauthorized access, breaches occur when an employee (such as a hospital worker) has access to identifiable information and abuses their authority to look at electronic health records of friends, family or co-workers.

In Ontario, the province’s information and privacy commissioner, Brian Beamish, estimates he sees about 10 “snooping” breaches every month, “primarily in hospitals where staff are going into electronic health records of patients they are not providing care to.”

It is also a major concern in Alberta along with fax transmission errors, said that province’s information and privacy commissioner, Jill Clayton. “You’d be surprised at how many fax transmission system errors there are,” Clayton said Thursday. “Over eight or nine years in the private sector, we might have had two reported to us. In the health sector, that makes up a significant number of breaches reported to us.”

Beamish and Clayton spoke about breach reporting trends in the private, public and health sectors last week at NetDiligence’s Cyber Risk Summit in Toronto.

In Ontario, another concern in the healthcare sector is abandoned records, where a health professional goes out of practice and “they’ve simply walked away from their health records and boxes of paper records are left in an office space,” Beamish says.

What also seems to be increasing is staff, volunteers or students posting patient information on social media. “You think that would be understood that you can’t do that, but it is a trend that we are seeing,” Beamish said. “In most cases, it’s meant for good, but it’s still a worrying trend.”

In Alberta, patients being handed the wrong person’s medication is surprisingly common. “It’s a minor privacy breach in some ways,” Clayton said. “I get someone else’s medication and know what they’ve been prescribed and I know their personal health number, but I might also go home and take that medication thinking it’s mine, so there’s a safety issues as well.

“I’m incredibly surprised at how prevalent that problem is.”

Beamish said that healthcare sector breaches reported to his office have to reach a level of significance (in Alberta, the threshold is a risk of harm). “Our concern was overreporting – cases we did not consider significant would be reported to us,” Beamish said, using the examples of a patient getting the wrong medication or an email to the wrong patient that did not contain sensitive information. “I don’t doubt that’s a serious incident for the patient, but we would not consider that to be a serious privacy breach.”