FAXING HEALTH INFORMATION TO THE WRONG PEOPLE

Nova Scotia – 2006 – 2016

For over 10 years dozens of highly sensitive mental health records were faxed to Lisa Belanger’s Bedford spa; faxes which should have gone to a mental health referral office. “She estimates she receives between eight and 14 a year.” (1)  She contacted the doctors offices that sent the fax, and “an official at the former Capital District Health Authority, hoping someone there would take action to stop it.”(1)  They said memos were sent to all doctors offices telling them to carefully enter fax numbers and to have “the proper preset fax number on the fax machine” (1)  But Ms. Belanger continued to receive faxes.  Really, how hard is it to preset a fax number?

“She says she subsequently called Health Minister Leo Glavine’s office, the College of Physicians and Surgeons and the office of Nova Scotia’s privacy commissioner.” (1) * “Belanger was concerned about the personal information on the documents.” (5)  She said “she’s been repeatedly assured by health officials the problem would be fixed, but the faxes continued.” (5)  “She has even made suggestions on improving the way faxes are transmitted.” (1)  Finally, in 2016, in frustration she contacted the CBC. (5)

“Everton McLean, a spokesman with the Nova Scotia Health Authority, said doctors are independent and the authority can’t tell them what to do.” (1)   And yet, “Nova Scotia’s Personal Health Information Act says it’s an offence to fail to protect personal health information in a secure manner. Anyone found guilty may be subject to a fine of up to $10,000 or imprisonment for six months, or both.” (1)  I think if you start enforcing the law there would be change.  Also, doctors are paid from tax dollars so, I believe, the government can put conditions on receiving those funds.   “Halifax privacy lawyer David Fraser” said “‘The larger concern for me is the apparent casualness with which these documents are being faxed and also what seems to be the response when they’re told that they’re going to the wrong place,”‘ Fraser said. (1)

When this issue hit the media, the privacy commissioner started to pretend to do something (they do like their name in the media). Privacy commissioner Catherine Tully made recommendations (5) which the doctors are free to ignore.  In fact, I suspect that most doctors aren’t aware that a report was written much less read it.

 

“Tully said if the information had ended up in the hands of someone who knew the patient, the harm would be ‘close to irreparable.'” (5) We don’t know that some unreported mis-faxed information hasn’t gone to people who know, or will know, a patient and the patient just hasn’t heard about it.  We only know about the faxes reported to the media.

“Privacy commissioner Catherine Tully wrote in a report… that momentary inattention and human error by those sending the faxes are to blame for the three cases her office examined.” (5) But, between 80 and 140 faxes went to Ms. Belanger’s spa over 10 years.  Were all these human error?  And, at what point, does human error become incompetency or just disregard for people’s rights?

“The report says doctors notified each of the patients whose privacy was breached.” (5) Were these just the patients in the three cases Tully received or all 80 to 140 patients whose personal/health information was received by Ms. Belanger?  The report also does not say when or how the patients were notified, nor is there any verification that it is true.  A victim of the breaches, whose name was not given, said “he only learned of it this week when Belanger herself contacted him to say his information had been faxed to her last fall.” “‘This is pretty serious stuff,” he said. “This can ruin people’s relationships, careers, a whole myriad of things.'” (2)

As of June 1, 2013, “’The Personal Health Information Act does require that notification goes to somebody,’ (bolding mine) said Robert Bay” (a Nova Scotia privacy commissioner spokesperson).   “So the question is: Is the notification to the individual whose privacy has been breached or is the notification to our office? The determining factors are the degree of harm or embarrassment that would result from the breach.” “He says if the” ‘custodians’ “who hold the personal information”, the doctors, “determine there is no potential harm or embarrassment, then the person whose information was mishandled may not be told.”  “The commission said it has no way of knowing how many breaches resulted in notification to patients.” (2)  In essence, unless the commissioner has been notified, they have no way of knowing if anyone was notified.  And, why would you notify the commissioner if there is no potential of harm or embarrassment to the patient and not when there is?  Why are the doctors given the right to make this decision?  Isn’t that a conflict of interest?  How often do you think doctors will decide “no harm done” and not inform patients that their privacy was breached and not inform the privacy commissioner.  Not that notifying the privacy commissioner is any great help.  All they can do is write a report and/or encourage/recommend as they have no enforcement powers.

 

North West Territories – 2010

On four separate occasions, in a two month period, confidential files were mistakenly faxed to the CBC from the N.W. T.’s main hospital. If this weren’t so serious, it would be funny.

The hospital then imposed a faxing freeze “on any medical documents unless it is an emergency”. (4)

“In addition to the freeze, the hospital has also implemented a temporary policy requiring two staff members to oversee the faxing of confidential documents, Lewis said” (CEO of Stanton Territorial Hospital). (4)

“This ‘double-checking’ policy, which is meant to ensure the faxes reach the right destination, will stay in place until a permanent solution is found, she said.” But, as usual for the government, “she wouldn’t give specific details about any measures being taken”.(4)

In 2012 the CBC received its 6th sensitive medical fax in two years. (6) This came from Kugluktuk, Nunavut health centre.  “The fax included information about the patient and their sexual health history.”  “In a statement, the department said it’s investigating. It added that health centres are required to use pre-set speed dials for confidential patient referrals”.  (6)

“At the time, Health Minister Tom Beaulieu said a summer student sent that fax. The department has not yet said if any action was taken, or why the faxes continue to come to CBC North in Yellowknife.”  (6) It certainly illustrates how important privacy is – the faxes continue and very sensitive patient information is given to a summer student.  But the government/medical business will tell you that it takes your privacy very seriously — just propaganda.

 

Alberta – 2014

“Entering incorrect telephone numbers into fax machines is being blamed for more privacy breaches of personal health information by Alberta Health Services.” (3)

“Documents obtained by CBC News through access to information show that Alberta Health Services were regularly (bolding mine) sending faxes intended for Strathcona Home Care to a custom home builder in Sherwood Park over a two-year period.” (3) “At one point the builder was receiving as many as one fax each week.” (3)  “Despite repeated calls, the faxes continued until company owner Dianne Ingram sent AHS a fax of her own.” “She scrawled, “You have the wrong fax number!! Stop faxing us!!.” (3)  Also faxes were sent to a manufacturing company. (3)

“Patients often go uninformed when their information is disclosed.”  (3)

“While AHS is not obligated to report breaches, Hamilton (Brian Hamilton, with the Office of the Alberta Information and Privacy Commissioner) said his office encourages AHS to inform all patients whose privacy has been breached.” (3)  Sorry, but, in my opinion, “encourage” is essentially meaningless.

“’This is highly sensitive information and an issue of public trust,” privacy commissioner Frank Work said. “How can the public have faith in public bodies if they can’t provide security for personal information?”‘ (7) (Bolding Mine). He was referring to laptops but it is just as relevant to faxes.

‘”It’s surprising,” Hamilton said during an interview. “The health sector in particular, spends millions of dollars on information systems with secure access, and yet people keep faxing.”‘ (3)

“Sending personal information by fax is a less secure method of transferring information compared to encrypted emails, he said.” (3)

Dr. Verna Yiu, with Alberta Health Services said “We do rely on cooperation of the recipient to let us know that” (they have received a mis-fax), “and I would have to say that in general (italics mine) people are pretty co operative about that.” (3)  This is NOT a privacy policy.  This is NOT how you protect patient information.

 

Some Questions:

  1. In all these cases, the doctors offices, violating patients privacy, were not identified. Should they be? Would you want to know who is not taking care of your information?
  2. Most people who violate people’s privacy are either not disciplined, disciplined (ex. A day or more off without pay), or fired. Should the penalties be stiffer? Do we have a right to know what disciplinary action is taken under what circumstances so we can determine if this is sufficient or excessive?
  3. Don’t you think THE PATIENT should be notified in all cases so the PATIENT can decide the degree of harm in violating the patient’s privacy?
  4. Should there be a central phone number that people can call when they receive medical information that belongs to someone else?

You may have noticed the trend by the government/medical system: it’s someone else’s responsibility, there is nothing we can do, false promises to fix it or we’ll look into it but the people never hear if anything was ever done to fix the problem.  And if it hits the media, the “problem” is sent to the privacy commissioner, who writes a report.  The report may say “Order No.” but it is not an order, it is a recommendation which the medical system is free to, and I suspect in most cases does, ignore.  So what changes – NOTHING.  Mistakes are made, and I think people would be mostly forgiving, if they knew concrete steps had been taken to fix the problem.  Instead we get propaganda – we’ll fix it, trust us, trust us.  Save the money from all these useless, money-sucking,, reports and put it into software/training for something positive such as end-to-end encryption and enforcement; privacy might be protected and money saved.

And, these violations are only the ones that are reported to the media. These are, no doubt, the proverbial tip of the iceberg.  I suspect there are some medical people who are very careful about patient’s privacy.  But, we don’t know who they are, therefore all are suspect.

I am deeply grateful to Ms. Belanger and Ms. Igram for sharing the information with the media; and to CBC News for publicising the problem. It is the only way we are learning that our information is not protected.  And, until we know the truth, we cannot try to fix the problem.

* I contacted a Minister of Health, Victor Boudreau, twice and requested an organizational chart/description of the health system in a province (who reports to whom and what are their responsibilities). Never got a reply (see future post tentatively titled “My Story – Part II).

 

  1. Mental health records sent to Nova Scotia spa in error over last decade – Yvonne Colbert, 07 Apr 2016, CBC News
  2. Victim of mental health privacy breach in Nova Scotia feels “very exposed” – Yvonne Colbert, 08 April 2016, CBC News
  3. Unsecure faxes put health data of Albertans at risk – Kim Trynacity, 10 Feb. 2014, CBC News
  4. N.W.T. Hospital clamps down on medical faxes – 07 Jul 2010, CBC News
  5. Privacy commissioner says doctors should move faxing patient referrals – Yvonne Colbert, 23 Nov. 2016, CBC News
  6. CBC Yellowknife newsroom gets 6th medical fax in 2 years – 30 Jul 2012, CBC News
  7. Security on stolen laptops was inadequate: privacy commissioner – 24 Jun 2009, CBC News