Victim says breach was ‘absolutely terrifying’

Hey there, time traveller!
This article was published 01/05/2024 (617 days ago), so information in it may no longer be current.

WINNIPEG — Two Winnipeg residents who were notified a health worker snooped on their medical records — among a string of recent privacy breaches in the province — are demanding the system be made more transparent and accountable.

Daniel Hidalgo and Shontise McFadyen received identical letters from the Winnipeg Regional Health Authority in December, alerting them an employee had inappropriately viewed their personal health records dozens of times.

The pair are colleagues at CommUNITY204, a non-profit organization founded by Hidalgo to serve Winnipeg’s homeless population.

According to the letters, viewed by the Winnipeg Free Press, the privacy breach was identified during a routine audit earlier that month.

“It’s absolutely terrifying because all you can think is there must be some kind of spiteful or malicious intent behind it,” Hidalgo said.

“I immediately responded. I needed to know who this was and if this could be somebody who knows me personally. I wanted to know what they accessed, how long they had access — are there cameras showing them taking photos of these records or were they printed?”

Records provided to Hidalgo by WRHA officials and shared with the Free Press show the woman accused of snooping had allegedly done so 19 times over a period of about nine months.

Hidalgo has met the woman on several occasions through his advocacy work. He believes she may have been working in public health, but does not know why she would look at his personal records.

The health authority refused Tuesday to confirm the woman’s official job title or whether she is still employed in the region.

“The WRHA cannot discuss personal information regarding employees,” a spokesperson said in an email.

Collectively, the woman spent 46 minutes reviewing Hidalgo’s private information, records show.

Vienna McIvor, the mother of Hidalgo’s children, also received notice from the WRHA that her information had been viewed by the same employee 28 times, she said.

McFadyen’s information was accessed six times.

“It’s been a terrible experience,” McFadyen said. “It’s extremely upsetting not knowing what that information is being used for … I think there needs to be a better system and more audits throughout the year so this doesn’t continue to happen.”

McFadyen said she has never met the woman accused of breaching her privacy.

The Winnipeggers felt compelled to speak out after a Free Press story reported a Manitoba nurse had been suspended and fined earlier this month after snooping into patient records. She was one of at least five nurses punished for ethics breaches since 2018.

Hidalgo said his incident has shaken his faith in health-care oversight, leaving him to wonder how seriously privacy breaches are tracked, investigated and punished.

“When you’re put into a position to have access to this kind of stuff, the training needs to be thorough, the severity needs to be clear, the understanding of what you’re able to access has to be made completely transparent,” he said. “I don’t want somebody employed that has access to this stuff that could be doing these things.”

The WRHA letter states it has reported the incident to the Manitoba ombudsman, which is tasked with investigating potential privacy breaches.

“The WRHA takes your privacy very seriously and we are deeply sorry this happened. I also want to assure you that we have taken steps to ensure that this individual can no longer access personal health information,” says the letter, signed by health services manager Shannon Watson.

“All employees must undergo regular mandatory training on appropriate use of personal health information. The employee in question had the requisite training and should have known better.”

Both Hidalgo and McFadyen said they have since followed up with the ombudsman for updates on the investigation. They were told it could be a lengthy process, Hidalgo said.

In an email statement, the ombudsman’s office said it cannot comment on specific cases or confirm whether an investigation is ongoing.

According to the office’s annual report, public institutions — including provincial government departments, educational bodies and health-care facilities — reported 69 privacy breaches between 2022 and 2023.

One-third of all reports came from health facilities and 12 cases involved personal health information.

The most common causes of privacy breaches were related to theft, misdirected communications and unauthorized disclosure. Five of the breaches were related to snooping, the report says.

It is unclear how the office tallies reports in which one person is accused of numerous privacy violations.

The WRHA would not provide statistics detailing how many times it has disclosed breaches to its patients in recent years.

It also did not explain how employees who violate privacy legislation are prevented from accessing personal information in the future, particularly if they leave the position, facility or health region where the offences occurred.

Hidalgo said he believes the woman accused of viewing his medical records is now employed at a women’s resource centre elsewhere in Winnipeg.

A woman with the same name is listed in the centre’s staff directory as a gender-based violence case worker, but calls to her office were not returned Tuesday.

The facility’s executive director also did not respond to requests for comment.

Hidalgo wonders how Manitoba’s health authorities can be sure she no longer has access to sensitive client information, he said.

“I don’t know why this was done. I don’t know why she felt the need to look up the mother of my children or staff,” Hidalgo said. “If you have a history of abusing that privilege, then it’s scary to know you’re just going to keep putting yourself back into roles where you might have access.”

Health Minister Uzoma Asagwara was not available to comment Tuesday.

» Winnipeg Free Press