Saskatchewan Privacy Commissioner Did ‘Nothing Wrong’ Reporting Privacy Breaches

Saskatchewan Privacy Commissioner Did ‘Nothing Wrong’ Reporting Privacy Breaches
An emergency vehicle is seen near the crash site on April 6, 2018, after a bus carrying a junior ice hockey team collided with a semi-trailer truck near Tisdale and Nipawin, Saskatchewan province, killing 14 people. Saskatchewan's privacy commissioner has found eight people inappropriately accessed the electronic health records of ten Humboldt Broncos team members involved in the bus crash. (KYMBER RAE/AFP/Getty Images)
The Canadian Press

SASKATOON—Saskatchewan’s privacy commissioner says he feels vindicated after a court decision involving a doctor who inappropriately examined health records of Humboldt Broncos team members who were in a deadly bus crash.

In February, commissioner Ronald Kruzeniski determined eight people, mostly doctors, had snooped on the electronic health files of 10 people.

The province’s health agency had started monitoring the electronic profiles of the patients—which included lab results, medication information, and chronic diseases—after the crash and forwarded concerns to the privacy commissioner.

Kruzeniski’s reports, which were posted online, detailed the privacy breaches.

Dr. Crombie Stebner, who looked at the files of three patients, took the privacy commissioner to court to prevent him from identifying her in his reports.

Her lawyers won an injunction requiring Kruzeniski to remove the reports from his website. A publication ban prevented the media from reporting that information.

In his decision released in late March, Justice Richard Danyliuk lifted both the injunction and publication ban.

“Dr. Stebner’s position appears to be that if disclosure of her identity would cause her upset or embarrassment, it should not be disclosed in any circumstances,” he wrote in the decision. “That is not the law.

“The commissioner did nothing wrong in this case,” Kruzeniski said he appreciates the judge’s comments.

“Anytime you have a breach of data or have somebody snooping, the fact that there might be a report about it certainly can cause concern about reputation or embarrassment,” he said in an interview this week.

“I’m really pleased he said, ‘Sorry, that might be the case, but that’s not a justification for having the reports removed or having a publication ban so that nobody can talk about it.”

Kruzeniski had only identified Stebner as Dr. M (her previous surname is Maltman) in the public report.

“In this case, the final report went out with a very limited distribution with the actual names in it, but when we posted it on the website we opted to go with initials,” he explained. “I was certainly disappointed with the breaches but ... it was not as significant as someone who snooped 1,400 times.

“In the scale of things, we were trying to strike that balance.”

The judge noted the irony that Stebner’s name is public now because she took the matter to court.

“Had Dr. Stebner simply let the matter lie, her name likely never would have come to the attention of the public and the matter would have simply blown over,” Danyliuk wrote. “She certainly had the right to bring this application.

“However, in doing so the consequences flowing from the lack of success are hers alone to bear.”

Stebner’s lawyers did not respond to a request for comment, but she said in an email included in court documents that she had treated two of the patients prior to the collision. She said she checked the records of three players because she didn’t remember the name of one of the individuals.

She argued she was in their “circle of care” and needed to know how they were doing so she could “get closure” and restore her focus at work.

The privacy commissioner’s report led to a number of recommendations, including monthly audits on the physicians involved in the breaches.

He also recommended that eHealth comply with a need-to-know principle rather than a circle-of-care concept and that users be required to regularly review their training.

eHealth Saskatchewan co-ordinates and maintains electronic health information for many public health-care organizations across the province.

The organization has previously said it took a number of measures to address the breaches.