A pharmacist in Canada has been fined and suspended from practice for six months for spying on the electronic health records of 46 people she knew, including her child’s girlfriend.
Robyn Keddy, manager of a pharmacy operated by one of the country’s major grocery retail chains, had used the provincial Drug Information System to trawl the confidential records over two years, including those of former classmates, her doctor, a person with whom she’d had a car accident, and her child’s therapist, the Nova Scotia Information and Privacy Commissioner Catherine Tully found.
In her investigations into privacy breaches involving the pharmacist launched in December last year, Tully also found Keddy had created false profiles to access the DIS and discussed the private health information with her spouse.
According to the Privacy Commissioner, the delivery of healthcare is increasingly tied to electronic health records but the growing use of interoperable health databases by healthcare professionals also increases the risks of authorised users intentionally using their access for unauthorised purposes.
“The temptation to ‘snoop’ is difficult for some individuals to resist,” Tully said.
“Custodians of electronic health records must anticipate and plan for the intentional abuse of access by authorised users.”
The Commissioner’s investigations found the pharmacist had routinely inappropriately accessed patients’ prescription histories and medical conditions, including those of her family members and co-workers.
Keddy was also overheard telling her husband that their child could no longer see his girlfriend as a result of the medications the young woman and her parents had been prescribed.
Following the termination of her employment for the privacy breaches, Keddy continued to inappropriately access people’s health information via the DIS.
Tully said the investigation showed that “monitoring of electronic personal health information databases is a critical vulnerability in the province. As a result, intrusion into the private lives of patients is a real and present danger”.
[Read more: SA Health staff caught spying on patient records and 7000 children’s pathology results exposed online | “Yet another wake-up call”: Privacy Commissioner releases new data breach report, with health sector top of the list]
The DIS is a multi-use database operated by the province and used by over 11,000 doctors, pharmacists and health practitioners.
In July, the Nova Scotia College of Pharmacists suspended Keddy’s licence to practise pharmacy for six months and fined her $5000. She was also ordered to pay another $4000 in costs and complete a course in business ethics.
"The College believes that strong sanctions are required to send a clear message to pharmacy registrants that we take the responsibility … to maintain the confidentiality of the personal health information seriously," its registrar, Beverly Zwicker, told CBC.
The Privacy Commissioner made 18 recommendations for improving and strengthening privacy controls by the province and the Sobeys company that runs the pharmacy.
Australia’s My Health Record database is designed to provide access to 900,000 healthcare professionals.
People now have until November 15 to opt out of the system or the federal government will create a My Health Record for them by the end of 2018. The opt out period was formally extended by Health Minister Greg Hunt on Friday following a data privacy backlash.
In July, Hunt has announced the government would strengthen privacy provisions under the My Health Record Act, including an amendment to ensure records can only be released to police or government agencies with a court order.
“If a person deliberately accessed an individual’s My Health Record without authorisation, criminal penalties may apply. These may include up to two years in jail and up to $126,000 in fines.”
To share tips, news or announcements, contact the HITNA editor on firstname.lastname@example.org