Canadian pharmacist fined for routinely accessing health records of acquaintances

She snooped in the EHRs of nearly four dozen people over two years.
By Lynne Minion
11:27 AM
Share
exterior of Sobeys pharmacy in Windsor Nova Scotia

Sobeys pharmacy in Windsor, Nova Scotia. Credit: Google Maps

A pharmacist in Canada has been fined and suspended from practice for six months for spying on the electronic health records of 46 people she knew, including her child's girlfriend.

Robyn Keddy, manager of a Nova Scotia pharmacy operated by Sobeys, one of the Canada's major grocery retail chains, had used the provincial Drug Information System to trawl the confidential records over two years, including those of former classmates, her doctor, a person with whom she'd had a car accident, and her child's therapist, the Nova Scotia Information and Privacy Commissioner Catherine Tully found.

In her investigations into privacy breaches involving the pharmacist launched in December last year, Tully also found Keddy had created false profiles to access the DIS and discussed the private health information with her spouse.

[Also: The biggest healthcare data breaches of 2018 (so far)]

According to the Privacy Commissioner, the delivery of healthcare is increasingly tied to electronic health records but the growing use of interoperable health databases by healthcare professionals also increases the risks of authorized users intentionally using their access for unauthorized purposes.

"The temptation to 'snoop' is difficult for some individuals to resist," Tully said. "Custodians of electronic health records must anticipate and plan for the intentional abuse of access by authorized users."

The Commissioner's investigations found the pharmacist had routinely inappropriately accessed patients' prescription histories and medical conditions, including those of her family members and co-workers.

Keddy was also overheard telling her husband that their child could no longer see his girlfriend as a result of the medications the young woman and her parents had been prescribed.

Following the termination of her employment for the privacy breaches, Keddy continued to inappropriately access people's health information via the DIS.

Tully said the investigation showed that "monitoring of electronic personal health information databases is a critical vulnerability in the province. As a result, intrusion into the private lives of patients is a real and present danger."

The DIS is a multi-use database operated by the province and used by over 11,000 doctors, pharmacists and health practitioners.

In July, the Nova Scotia College of Pharmacists suspended Keddy's license to practice pharmacy for six months and fined her $5000. She was also ordered to pay another $4000 in costs and complete a course in business ethics.

"The College believes that strong sanctions are required to send a clear message to pharmacy registrants that we take the responsibility … to maintain the confidentiality of the personal health information seriously," its registrar, Beverly Zwicker, told CBC.

This article first appeared in Healthcare IT News Australia.

Healthcare Security Forum

The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.