Dec 12, 2017

Manitoba Ombudsman has released a report under the Personal Health Information Act (PHIA) related to unauthorized access to personal health information in the databases of the Provincial Drug Program (PDP) branch within Manitoba Health, Seniors and Active Living (MHSAL).

The ombudsman initiated an investigation into this breach in 2014. In April 2016, the ombudsman charged a former employee of the department with an offence under subsection 63(2)(b) of PHIA and held the finalization and release of the investigation report in abeyance pending the conclusion of the prosecution. In 2017, the individual was found guilty and fined $7,500.

“We are releasing this report so that trustees of personal health information and their employees can benefit from the findings and conclusions of our investigation,” said Ombudsman Charlene Paquin. “Organizations that hold personal health information must have policies, procedures and safeguards in place to ensure that this information is only accessed by employees who have a legitimate work-related purpose for doing so. Employees need to know that snooping into the personal health information of others is a very serious matter.”

The ombudsman’s investigation reviewed incidents of unauthorized access and the department’s response to these incidents. This included examining the measures in place to prevent, detect and respond to the breach.

The ombudsman found instances where the department did not respond in a timely way to address and mitigate the risks of the privacy breach and identified a need to improve the sufficiency of policies and procedures. Subsequently, the ombudsman made 11 recommendations to the department to assist in ensuring that it complies with its obligations under PHIA. 

“Our office recognizes that the department has made improvements since the discovery of the breach and we are pleased that they accepted all of the recommendations in the report and have either implemented or committed to implement them,” said Paquin.

The report is available on the ombudsman’s website at:

https://www.ombudsman.mb.ca/uploads/document/files/case-2014-0500-en.pdf

About PHIA

The Personal Health Information Act (PHIA) provides people with a right of access to their personal health information held by trustees and requires trustees to protect the privacy of personal health information contained in their records. Under PHIA, the ombudsman investigates complaints from people who have concerns about any decision, act or failure to act that relates to their requests for access to their personal health information, or a privacy concern about the way their personal health information has been handled. The ombudsman has additional duties and responsibilities under PHIA. These include conducting audits to monitor and ensure compliance with the law, informing the public about PHIA, commenting on the implications of proposed legislation or programs affecting access and privacy rights, and commenting on the implications of information technology in the collection, storage, use or transfer of personal health information.