N.W.T.'s medical record system under the microscope after 2 reported cases of snooping

Medical records are among the most sensitive pieces of information that a government agency keeps on citizens. But these records are not impervious to snooping, as evidenced by two distinct cases reported this year by the Northwest Territories Information and Privacy Commissioner. 

The privacy commissioner issues reports on cases in which an investigation yields evidence of intentional and unauthorized access to private health information, commonly known as "snooping." 

This year, commissioner Andrew Fox publicly reported two distinct cases of snooping in electronic medical records. They both involved employees of the Northwest Territories Health and Social Services Authority (NTHSSA). 

Taken together, the cases illustrate vulnerabilities in the NTHSSA's electronic medical record (EMR) system. According to at least one expert, the EMR system doesn't appear to meet the highest ethical standards for patient privacy.

An EMR is a digital version of a patient's medical history. It can include things like test results, X-rays and prescriptions.

One of the cases published online this year by the privacy commissioner involves an instance in 2021 of an administrative clerk with NTHSSA deliberately opened a person's EMR and relayed some of their private health information to another person. The clerk did this "without consent and without lawful authority," wrote Fox.

The clerk admitted to wrongdoing during an NTHSSA investigation, and was fired some months later. 

Fox called this a "particularly egregious, intentional privacy breach." He said the health authority's response was appropriate, but that the agency should have revoked the employee's EMR access as soon as it confirmed the breach. 

The health authority uses "role-based access" to the EMR system, meaning an employee's access is limited to what is necessary for their role. 

Fox noted that on occasions when the clerk was assigned to other roles, the NTHSSA didn't restrict her EMR access in accordance with those roles. 

The second case published this year involved two NTHSSA employees who, on multiple occasions, snooped in the medical records of a patient who wasn't in their care. The employees were siblings and the patient had previously been in a relationship with one of them.  

It wasn't until the patient filed a "record of activity" request in July of 2023 — a report on who had looked at her EMR — that she learned of the breach. 

"I was disgusted. I felt incredibly violated," said Maryse Gravelle, the patient who had her medical records snooped.

"Our financial institutions have software in place to identify when there's a fraudulent charge possibly being made on our accounts," she said. "How can a banking institution have those sorts of safeguards in place, but there's no alerts on hospital software, on emergency medical records, to alert when there's a suspicious action in somebody's chart?"