A privacy analyst at Trillium Health Centre is being investigated by Ontario’s privacy commissioner and his own hospital over allegations he tried to block an investigation by the provincial watchdog into a privacy breach.
Earlier this year, Trillium Health Centre mistakenly mailed a patient medical record to a wellness clinic in Halton Region on two separate occasions.
Sharon Harding, the office manager at the clinic who opened both letters, has alleged that Trillium Health Centre privacy analyst Simeon Kanev later accused her of beginning a time-consuming complaint to the privacy commissioner and told her to withdraw the complaint because he “has more important things to do.”
Ontario's Information and Privacy Office and Trillium Health Centre confirmed the privacy breach and told the Star they were looking into Harding's allegations against Kanev.
“We are actively investigating and will take appropriate action pending the results of the investigation,” a spokesperson from Trillium Health Centre said.
The Trillium privacy breach and Harding's allegations come on the heels of several Star investigations into the growing incidence of snooping into patient medical records and poor oversight under the provincial health privacy law.
Contaced by the Star on Friday, Kanev confirmed the privacy breach had occurred and said he notified the affected patient. When asked if he had requested that Harding withdraw her complaint with the privacy office, Kanev said he could not comment and directed the Star to Trillium's communications department.
Kanev joined Trillium Health Partners in April 2014 and describes himself as a “privacy and ethics professional,” according to his LinkedIn page and a website. He has been listed an expert speaker at health privacy conferences across the country.
Trillium Health Partners, one of Canada's largest community-based hospitals, governs three sites: Credit Valley Hospital, Mississauga Hospital and Queensway Health Centre.
Harding said she opened the first letter from Trillium on Jan. 15 and was shocked to find it included the medical record of a patient who had never been to the wellness clinic.
She said the record included the patient's name, address, hospital identification number, previous and current medical conditions and prescriptions.
Harding said she contacted Trillium and was told by a nurse manager to shred the document.
Two weeks later, on Feb. 2, Harding said, the same document was mailed to the clinic, and she contacted Trillium again.
This time the health centre's privacy analyst, Kanev, came to collect the document personally, Harding said.
Before Kanev arrived, Harding said, she called the provincial privacy office to alert it of the two breaches and to double-check that she should be handing the document over.
She says she was told by a spokesperson at the privacy office to give the record to the privacy analyst so the hospital could investigate the breach.
Harding alleges that two weeks later, Kanev called her and said the privacy commissioner was now investigating the incident and that “he knew I was the one who had complained,” she told the Star.
Harding alleged that Kanev told her the commissioner was “asking for tons of documents” and that he “had more important things to do than worry about one person's privacy.”
“He asked me to withdraw my complaint,” Harding told the Star.
Harding said she was taken aback by Kanev’s phone call and that she contacted the privacy commissioner about the situation.
“I understand we are human and mistakes happen, but to get a disturbing call from the person who is supposed to protect our private records telling me to withdraw my complaint was out of line,” Harding said.
“This is somebody's private records. It's supposed to be private; we count on it being private.”
Trillium Health Centre confirmed to the Star that a patient report was wrongly mailed out in January and February this year due to a “clerical error.”
“Once the hospital was made aware of this we immediately took steps to contain the incident and staff from the privacy office retrieved the report in person,” a Trillium spokesperson said.
The hospital notified the affected patient and has submitted an incident report to the privacy commissioner’s office, the spokesperson said.
The Information and Privacy Office said the individual who reported the breach also notified the office of an incident where “Trillium Health apparently asked her to withdraw her complaint.”
Because the woman was not the patient affected by the breach, she was not deemed to be a complainant and the file was treated as a commissioner-initiated complaint, a privacy office spokesperson said.
“This means that we would continue to look into the breach even if she requested to withdraw the report. To do so would ignore a potential breach that needs to be addressed,” the spokesperson said, adding that the office would be following up with her on the call she received from Trillium Health.
“Because this is an open file, we cannot provide further details,” the spokesperson said.