Privacy breach: unauthorized Gmail use for patient care

AHS notifying affected patients; physician & AHS working cooperatively with OIPC

CALGARY – A physician working at Calgary’s Richmond Road Diagnostic and Treatment Centre is notifying approximately 7,000 Albertans that the security of their personal health information may have been compromised due to the criminal hacking of a personal Gmail account.

The physician’s Gmail account was improperly used to transmit health information in contravention of Information Security & Privacy policies that prohibit conducting clinical business on behalf of AHS and AHS patients using non-AHS issued email accounts.

While there is no present evidence to suggest the patients’ personal and healthcare information has been accessed by the hacker; care and control of the information was unintentionally lost, which constitutes a privacy breach under the Health Information Act (HIA).

“While this privacy breach was unintentional and is deeply regretted by the physician, that does not in any way diminish the seriousness of the matter,” said Dr. Francois Belanger, Vice President, Quality & Chief Medical Officer.

“Our principal focus right now is working to identify and notify all affected patients.”

The hacking incident is being investigated by the Calgary Police Service and AHS is currently conducting an internal review. The physician is cooperating with the AHS investigation.

AHS is working with the physician’s office to notify all affected patients of this potential privacy breach, and is providing a staffed telephone line to provide information to anyone requesting further information or assistance.

AHS’ policy on email use has been clear and consistently communicated. Where AHS physicians, staff and volunteers communicate personally identifiable health information, and both recipient and sender have AHS-issued email accounts, AHS secure email must be used. Where the sender has an AHS email account and the recipient does not (this includes but is not limited to all iCloud, Gmail, Hotmail, and Yahoo accounts), then the AHS email protocol for sending encrypted email must be used.

“Unfortunately, these policies were not followed in this instance, which underscores the need for AHS to do further work to educate physicians and staff about this vitally important practice,” said Dr. Belanger.

AHS has undertaken extensive work over the past several years to build awareness and understanding among staff and physicians about the importance of appropriate access, safeguarding and encryption of patient information.

AHS takes the privacy and confidentiality of patient information seriously and all physicians and staff undertake privacy training.

AHS Legal and Privacy has advised the Office of the Information and Privacy Commissioner (OIPC) about this incident and will be working cooperatively with the OIPC on any upcoming investigations or undertakings.

To protect the confidentiality of the individuals impacted by this issue, AHS will not be releasing further information specific to this breach or the investigation. All affected patients are being contacted directly.

Alberta Health Services is the provincial health authority responsible for planning and delivering health supports and services for more than four million adults and children living in Alberta. Its mission is to provide a patient-focused, quality health system that is accessible and sustainable for all Albertans.