Apr 23, 2019

Manitoba Ombudsman has released an investigation report under the Personal Health Information Act (PHIA) related to the unauthorized disclosure of personal health information of 91 patients who received magnetic resonance imaging (MRI) scans within the Winnipeg Regional Health Authority (WRHA) between 2008 and 2016. The patients’ health information was disclosed in violation of PHIA to several media organizations.

The leaked records were associated with an audit conducted by the Office of the Auditor General of Manitoba (OAG). The OAG was given access to patients’ health information maintained in a diagnostic imaging database. Records prepared by the OAG during the audit were provided to the WRHA in 2016. These records were subsequently leaked by an unknown person or persons to several media organizations in April 2017.

“Manitobans seeking health care expect their health information to be protected and shared only for purposes authorized under PHIA,” said Acting Ombudsman Marc Cormier. “When an intentional privacy breach such as this one occurs, it takes away the control we have over how and with whom our personal health information is shared, and it erodes public trust in a system that is supposed to protect our privacy.”

The intentional violation of patients’ privacy through an unauthorized disclosure of personal health information constitutes an offence under PHIA, for which the offending person may be subject to prosecution and, if found guilty, may be liable for a fine of up to $50,000.

In light of the seriousness of this privacy breach, the ombudsman initiated an investigation under PHIA in April 2017. Our office subsequently received privacy complaints from some affected patients.

Our office initiated the investigation to:

• determine what occurred in the privacy breach incident
• attempt to identify the person(s) who committed the intentional breach (an offence under PHIA)
• review the WRHA’s handling of the privacy breach, as the trustee of the personal health information of the affected patients
• identify factors that may have contributed to the privacy breach
• identify measures to reduce risks to personal health information and to strengthen privacy practices and compliance with PHIA

Our review found that the WRHA responded appropriately to the privacy breach. Our office was not able to determine the identity of the person(s) who made the unauthorized disclosures to media organizations, nor were we able to determine whether the breach originated within the WRHA. However, our review identified several measures that trustees should consider in an effort to minimize the risk of intentional or inadvertent privacy breaches in the case of bulk disclosures of personal health information. This investigation report contains our comments on the measures that we believe can strengthen privacy practices and compliance with PHIA.

The report is available at:

https://www.ombudsman.mb.ca/uploads/document/files/case-2017-0143-en.pdf

About PHIA

The Personal Health Information Act (PHIA) provides people with a right of access to their personal health information held by trustees and requires trustees to protect the privacy of personal health information contained in their records. Under PHIA, the ombudsman investigates complaints from people who have concerns about any decision, act or failure to act that relates to their requests for access to their personal health information, or a privacy concern about the way their personal health information has been handled. The ombudsman has additional duties and responsibilities under PHIA. These include conducting investigations and audits to monitor and ensure compliance with the law, informing the public about PHIA, commenting on the implications of proposed legislation or programs affecting access and privacy rights, and commenting on the implications of information technology in the collection, storage, use or transfer of personal health information.