A report by the Island’s information and privacy commissioner found that a pharmacy employee accessed private health records of another employee improperly.
The report stopped short of determining whether this information was shared with anyone else.
Karen Rose, P.E.I.’s information and privacy commissioner, also found that at the time of the complaint, the pharmacy in question did not have in place practices to detect or protect against privacy breaches. However, Rose also noted that the pharmacy did take steps to contain the privacy breach and to conduct an investigation.
The pharmacy, as well as the individual employees, are not identified in the privacy commissioner’s report.
The report notes that in August 2017, a pharmacist notified a manager at the pharmacy that two employees had accessed the personal records of a former co-worker on the Drug Information System database. This database contains information about the prescription information of individuals, and other personal information. It was alleged that the two staff members, who were pharmacy assistants had also shared this information with others in the workplace.
In the investigation of the incident by the pharmacy, one of the staff members admitted to accessing the health records of the affected individual, in order to confirm which pharmacy this individual was attending. The second employee did not admit to accessing the information without authorization, although the first employee claimed the two had discussed the information.
The commissioner determined that there was no evidence that the second employee was aware of the privacy breach. The pharmacy had a practice of sharing access to the Drug Information System amongst staff, using one single login and password. As such, on the day of the privacy breach, it was impossible to determine who had access the system, as individual staff members did not have to log in using their own password.
“The Pharmacy advises that at the time of this incident their software did not have the capacity to create an audit report of who has accessed personal health information from the DIS, or when,” the report states.
The report also noted that the pharmacy had not provided required privacy training related to health records, and that the employee who admitted to accessing the information is no longer employed at the pharmacy. The second employee was suspended but later reinstated.
The report also noted that the pharmacy adequately implemented unique user IDs for the Drug Information System for all staff and has begun carrying out required privacy training with staff.
