Press release from the Saskatchewan Information and Privacy Commissioner:
Saskatchewan Information and Privacy Commissioner, Gary Dickson, has released his latest Investigation Report H-2014-001 which is a systemic investigation examining several privacy breaches involving misdirected faxes containing personal health information. In total, this investigation captures ten different trustees, including eight regional health authorities, 20 separate files and approximately 1000 affected patients. With a couple of exceptions, all of these breaches involve, not a stand-alone fax machine, but rather faxing features with electronic medical records.
Commissioner Dickson found that, in general, trustees did not have adequate safeguards for preventing misdirected faxes such as policies and procedures, strategies for keeping fax numbers up-to-date and clear accountability for electronic medical records. The Commissioner also observed that, for the most part, trustees did not properly investigate these incidents when they occurred. This suggests this risk has not been properly mitigated.
You can download INVESTIGATION REPORT H-2014-001 here (pdf). From the Executive Summary:
The breaches can be broken down into five categories of breaches:
Category #1 – (338 to 922 possible affected patients, seven trustees): Outdated physician fax numbers in the Radiology Information System (RIS) caused faxes containing personal health information to be misdirected to those without a need-to-know. eHealth Saskatchewan is the Information Management Service Provider (IMSP) which provides RIS support to the trustees.
Category #2 – (seven affected patients, seven trustees): A third party in Moose Jaw received several faxes for physicians no longer providing services for the organization. These breaches can be attributed to a number of different factors including out of date fax numbers in electronic medical records (EMRs); undue care and attention when entering information, choosing where to send faxes and use of an ‘auto suggest function’; and reliance on outdated personal health information in a legacy system.
Category #3 – (three affected patients, two trustees): An incorrect fax number in the College of Physicians and Surgeons of Saskatchewan’s (CPSS) Physicians Mailing List – January 2013 and undue attention paid to subsequent updates caused these faxes containing personal health information to be sent to a third party school. Further, in one case, highly sensitive personal health information regarding a transgendered individual was sent to the wrong recipient via this inherently insecure form of communication.
Category #4 – (Approximately 125 affected patients, three trustees): Another series of breaches involving RIS in which a configuration would not allow changes or updates to patient personal health information affecting where results were faxed.
Category #5 – (22 affected patients, one trustee): These breaches involved an incorrect fax number which was entered into RIS.