Sources say information accessed related to Noelle Paquette murder

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.theobserver.ca/2013/01/28/privacy-breach-at-bluewater-health

Hospital staff have reportedly been fired after a privacy breach at
Bluewater Health.

Multiple sources told The Observer Monday as many as 17 people were
dismissed after non-clinical staff accessed patient information
through a password-protected system — without authorization — earlier
this month.

Sources told The Observer that at least part of the information
accessed is related to the persons charged in the murder of
27-year-old Sarnia teacher Noelle Paquette.

Karen Waymouth, chief information and privacy officer, said she
couldn't confirm whether employees were fired, citing the privacy and
confidentiality of the investigation.

“We do uphold a policy of confidentiality here and that we do have a
policy in place if a breach occurs,” she said. “The appropriate action
was taken.”

Waymouth did not divulge specifics — what information was accessed,
how many people were affected, what type of non-clinical staff were
involved, or what they were doing with the information.

“It's due to the privacy and confidentiality of the individuals, the
people who's charts were accessed, and also the staff that were
involved,” she said.

Staff had access to the computer system because of their jobs at
Bluewater Health, Waymouth said. The breach was confirmed after a
random audit and employee interviews.

She did say fewer than 17 staff members were involved in the breach,
but wouldn't confirm the exact number.

Waymouth contacted patients affected by the breach personally and
apologized, she said, noting their reactions, when she called, were of
disappointment.

The police were not notified, she said, but Bluewater Health was
planning to contact the Information and Privacy Commission.

Mandatory orientation sessions at Bluewater Health cover privacy and
confidentiality, and require employees, physicians, volunteers and
students to sign a pledge of confidentiality — enforced by hospital
policy and law, Bluewater Health officials said in a news release.

Patient confidentiality and patient care are part of a balancing act
when it comes to personal information, Waymouth said.

“Unauthorized or inappropriate access to electronic patient
information is viewed with zero tolerance.”

Staff are planning to re-educate all staff, students, volunteers and
physicians about Bluewater Health's policy, she said, adding hospital
officials do value and trust staff.

“It's disappointing when a policy is not followed and we're unable to
fulfill our obligation to protect patient privacy,” she said.

This is the second time in recent years that Bluewater Health has
reported a security breach.

In November 2010, 123 Bluewater Health patients' personal health
records were breached by an employee at the West Lambton Community
Health Centre, resulting in changes to auditing practices and staff
access levels at both organizations.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.