[BreachExchange] Sask. Health Authority sends more private health info to computer shop, says frustrated owner

Destry Winant destry at riskbasedsecurity.com
Wed Jan 10 18:10:49 EST 2018 

http://www.cbc.ca/news/canada/saskatchewan/sask-private-health-information-1.4480337

The Saskatchewan Health Authority has again faxed private medical
information about a patient to a North Battleford computer shop,
according to the frustrated owner of the business.

Darryl Arnold says his company fax machine received a 21-page medical
report from the Shellbrook Hospital that was intended for a North
Battleford-area doctor.

He said he did not read the document, but the cover page included the
patient's name.

"I feel really bad for [the patient] — because, obviously if they are
seeking medical help, the doctor needs the information that is in this
medical report," said Arnold.

Business keeps getting health faxes

Arnold says Kelly's Computer Works has received numerous faxes from
health authority facilities, dating back to January of last year.

He previously received a fax from the non-invasive cardiology unit at
St. Paul's Hospital — then part of the Saskatoon Health Region, and
since amalgamated into the Saskatchewan Health Authority.

In 2017, Arnold contacted Saskatchewan's information and privacy
commissioner, Ron Kruzeniski, who urged the health region to start
following its own policies when it comes to sending internal faxes.

"I find that [the health region's] faxing practices do not follow its
internal policy and procedure regarding faxing personal health
information," he wrote in a report responding to Arnold's complaint
last October.

Solution not available everywhere

Doug Dahl, communications officer with Saskatchewan Health Authority
in Prince Albert, said that as a result of that report, the former
Saskatoon Health Region developed a system that allowed it to choose a
physician's name and it would fax automatically.

"Now that was available in that circumstance; that situation isn't
available everywhere throughout the province and, unfortunately, this
error occurred in a different location," Dahl said. "It wouldn't have
necessarily been rolled out province-wide because, at that time, the
regions were still separate."

The health authority said in an emailed response Tuesday night that
strengthening patient confidentiality practices was a "high priority,"
and that the incident would be reported to the Office of the
Saskatchewan Information and Privacy Commissioner and an investigation
would be conducted.

Dahl said the investigation will have recommendations for how to
reduce or eliminate the possibility that similar incidents will
happen, but he doesn't know if the recommendations will apply
province-wide.

Fax numbers almost identical

Arnold said his company's fax number is nearly identical to the one
belonging to a North Battleford-area doctor's office — it's just one
digit different.

He said he has been in contact with a health authority worker, who
suggested he address the problem by changing his business fax number.

Arnold said he is willing to do that as long as the health authority
compensates him for reprinting company business cards and letterhead.

But he said the health authority did not respond after he sent them
the amount he wants them to pay for the number.

Arnold said the authority also suggested he try to set up his fax
machine to block faxes from health authority numbers, but the company
that sold him the machine has told him that's not possible.

He contacted the Office of the Saskatchewan Information and Privacy
Commissioner on Tuesday.

"My bigger concern is this is affecting the health care of the
patients," said Arnold.

"The doctor is expecting this information at one point and it's not
getting to him, it's getting to me. So … I have a huge concern for the
patients."

Encrypted email would solve problem: Arnold

Arnold believes the problem is preventable.

"They do need to do something about it," he said. "Maybe they need to
consider a different kind of technology."

Arnold thinks the health authority should shift to using encrypted
email to transfer patient information, but believes they prefer to use
fax communication because it provides proof of receipt.

Dahl said there may be other technological solutions to share
information between health-care providers, but financial resources are
a concern.

"Something more robust like an electronic health record is a fairly
large investment," he said. "It would depend upon the amount of
resources required."

More information about the BreachExchange mailing list