A privacy investigation has found a former healthcare employee broke the law when she accessed and used health information, and that Alberta Health Services (AHS) didn’t ensure she was aware of safeguards.

The Alberta Office of the Information and Privacy Commissioner released details on an investigation that stemmed from an announcement in late September 2016 that a former employee at Alberta Hospital had accessed health information for hundreds of people over eleven years.

At the time, AHS was contacting the 1,309 people whose information was improperly accessed between 2004 and 2015 in Netcare, the province’s electronic health record system.

Information for another 11,539 people was also accessed through the Netcare Person Directory, a subsystem of the personal records network.

AHS said the employee accessing the information worked at Alberta Hospital Edmonton, and the accesses were discovered after the employee’s activity was audited.

People affected by the breach were contacted, and the Privacy Commissioner received 30 written complaints over this case. The number of complaints, coupled with the number of people affected and media coverage prompted Privacy Commissioner Jill Clayton to open an investigation.

Clayton said this case, and another in Calgary where health information for a woman and her daughter was accessed, were both “significant” breaches in privacy.

“The focus of the investigation shifted from the employee to AHS’ implementation of safeguards,” Clayton said in a statement. “This report should be a wake-up call for anyone responsible for protecting Albertans’ health information, alerting them to the potential consequences if they fail in their duty to implement and maintain reasonable safeguards to protect health information.”

The investigation found concerns about this particular employee had been raised more than once between March 2014 and July 2015 by coworkers.

In one case, the AHS Privacy Office advised a coworker to get a Netcare Audit Log, showing instances where their own health information had been accessed, and it showed the employee in question had accessed their health details.

The employee’s use of the system was reviewed, and she was fired.

As for the Privacy Commissioner’s investigation, it resulted in four recommendations for AHS, including reviewing privacy training at Alberta Hospital and across the AHS network, review adequacy of process for investigations into Health Information Act issues, and to review criteria and approaches used to audit employee access to the use of Netcare.

As of August 31, 2018 amendments to the Health Information Act went into effect. The amendments include a fine of at least $200,000 for a person who fails to follow regulations outlined in the Act.