Alberta Health Services to blame for unauthorized access of Calgary patient’s records

Lax practices at AHS is to blame for dozens of health workers unlawfully accessing and using the health information of a Calgary patient and her daughter, an investigation has found.

The action, launched by the Office of the Information and Privacy Commissioner, was taken after the AHS Privacy Office was notified of a breach of information by the emergency department manager at South Health Campus in 2015.

The patient in question had been flagged as “confidential” when she was admitted to the hospital.

That’s because she was accused of killing her special needs teenage daughter. That patient, Christine Hagan, later died of cancer. Police said she killed her daughter, 19-year-old Jessica Hagan.

No charges were ever laid.

But an internal audit at AHS identified 160 employees who accessed information on the patient and her daughter and, while the majority of accesses were authorized, 49 employees are believed to have broken the rules.

An investigation by the OIPC found that the accesses made by these employees were in contravention of the Health Information Act, but did so under the knowledge of managers with the AHS.

OIPC also found that AHS did not take reasonable steps to put technical and physical safeguards in place to protect the information.

For example, the 49 employees identified in the case did not have any privacy training.

The AHS disciplined the employees and, through its own investigation, learned that all the workers believed they were accessing the information for legitimate purposes that were known and supported by management. As a result of that finding, the AHS reduced or rescinded its disciplinary action against the staff members accordingly.

The OIPC has made six recommendations for the AHS in regards to this case and will continue to follow up to confirm progress.