A pharmacist spied on the electronic health records of people she knew and shared what she saw with her spouse
Catherine Tully, the Information and Privacy Commissioner for the Canadian province of Nova Scotia, has released privacy breach investigation reports regarding the activities of the pharmacist.
On December 21, 2017, she began investigating a series of privacy breaches involving a pharmacist, Robyn Keddy, who was employed as the manager of a rural community pharmacy operated by the Sobeys National Pharmacy Group.
The Commissioner determined that the pharmacist had inappropriately accessed personal health information, including prescription history and medical conditions of 46 individuals over a period of two years.
The Department of Health and Wellness initially told Ms Tully that the breaches had been contained and that there was “no evidence” of malicious intent.
However it transpired that Ms Keddy had used the provincial Drug Information System (DIS) to get hold of information about people she had a personal relationship with, including her child’s romantic partner and her parents; her child’s friends, teachers and former teachers; a former classmate from high school; her own former teacher, now deceased; and a person with whom she had been involved in a car accident.
The Commissioner also determined that the pharmacist had created false profiles in order to access personal health information, and had disclosed sensitive health information to her spouse.
At one stage she was heard telling her spouse that her child was not able to see a particular person “because of the medications she and her parent were on”.
She also accessed the records of co-workers and discussed the accesses with pharmacy employees, who said that they had been too frightened to come forward because Ms Keddy was also the pharmacy’s manager.
One had tried to come forward to the Department of Health and Wellness anonymously, saying she feared reprisal, but said she had not received a callback after leaving a message.
“An employee confirmed her spouse was approached by the pharmacist at their home with a document the pharmacist had prepared for signature that claimed the individual had consented to the access and fabricating a reason for the access,” one of the reports stated.
“This employee also had second hand knowledge that the pharmacist had approached up to a dozen other affected individuals in a similar manner.”
Even after Ms Keddy’s employment at the Sobeys pharmacy had been terminated, she continued to use the DIS to get information about people she knew.
Witnesses told the Commissioner that Ms Keddy used the DIS and/or Client Registry to get the personal information of people who were not even clients of the local pharmacy, or who were not receiving or requesting any service from the pharmacy at the time of access.
“The temptation to “snoop” is difficult for some individuals to resist,” Ms Tully said in a statement.
“Custodians of electronic health records must anticipate and plan for the intentional abuse of access by authorized users.”
She later spoke to CTV News Health and said that the pharmacist’s snooping highlighted a “real and present danger” of health professionals intruding into the lives of patients.
“This is a pharmacist, a professional with ethical obligations,” she said.
“It’s shocking that somebody in a position of trust would breach that trust so badly and would fail to recognise the importance of preserving the right to privacy and the integrity of the individuals whose information she breached.”
The reports make 18 recommendations to improve auditing programs and strengthen breach protocols.
At a hearing committee before the Nova Scotia College of Pharmacists, Ms Keddy’s licence to practise pharmacy in the province was suspended for six months.
She was also given a letter of reprimand and ordered to pay a fine of CAD$5000 (AUD$5201) to the Nova Scotia College of Pharmacists.
She was ordered to enrol in and successfully complete a business ethics course.