
3rd Largest Fine Ever Under the HIA
3rd Largest Fine Ever Under the HIA
Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.
What Happened
An employee who had access to personal health information (PHI) had unauthorized use and altered the PHI. The employer discovered the unauthorized access and conducted an internal investigation. Subsequently, the employer reported the privacy breach to the Office of the Information and Privacy Commissioner as required under the Alberta Health Information Act (HIA).
The Alberta OIPC charged an individual with falsifying COVID-19 immunization records of nearly 200 people from September to November 2021 while they were employed in an administrative support staff role at Alberta Health Services (AHS). The false information was entered into the health information system which feeds into the Alberta Health Immunization record system.
Commissioner’s Investigation
The OIPC opened an offence investigation in June 2023. in March 2024, the OIPC recommended charges under the HIA.
In December 2024, Justice Mah of the Alberta Court of Justice sentenced Hind Mahmoud Dabash to a fine of $12,000 for the offence of knowingly using and creating health information in contravention of the HIA.
The other charge, of knowingly gaining access to the health information of 199 members of the public, was withdrawn.
Take-Aways
The custodian, AHS, was able to monitor and investigate the users’ actions in the electronic medical record systems. This capability is a requirement of health information systems and is a deterrent to individuals to access and alter PHI.
This case is unusual because the employee altered or changed the results of the immunization records which could have resulted in inaccurate diagnosis and treatment decisions for the individual and their families and contacts.
Regular privacy awareness training and monitoring of user activity audit log and supervision are essential steps to prevent and detect the unauthorized use of health information.
Reference
Alberta OIPC News Release December 19, 2024. https://oipc.ab.ca/court-case-concludes-in-sentencing-for-offence-under-health-information-act/
You May Also Be Interested In
Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches