02/12/2013 06:37 EST | Updated 04/14/2013 05:12 EDT

Regina Health Authority Told To Stop Snooping Staff

REGINA - Saskatchewan's Information and Privacy Commissioner is telling the Regina Qu'Appelle Regional Health Authority it needs to stop its employees from snooping.

The recommendations stem from three incidents that happened in the health authority over the past five years.

In January 2008, some employees at Regina General Hospital logged on to the health information program and looked at a co-worker's information.

Then, in June 2009, a lab assistant accessed her own files and found that someone had made several changes, including replacing her name with vulgar ones and R.I.P was in her file.

An investigation found an employee had used seven different user IDs to change the woman's information eight times in three months — she would wait until other workers failed to log off a computer, and use their ID to make the changes.

The last incident happened in November 2011, when an employee looked up the health information of several people, including the father of her child, his wife, four of the wife's relatives, and another unrelated person.

In a letter to the privacy commissioner, the health authority said breaches "appear to be intentional, malicious, and for personal gain."

When the woman was interviewed about the breaches, she said she was bored and curious, and that "everybody does it."

All personal health information is protected under Saskatchewan's Health Information Privacy Act.

In his report, the privacy commissioner stated that after the first two incidents the health authority made recommendations of changes it could make to stop breaches from happening again, but it didn't appear they were implemented.

The privacy commissioner said that's why a formal investigation was opened.

The report said the health authority's administrative and technical safeguards aren't enough to keep information safe.

It recommends that the agency revise its safeguards within 120 days, and review its recommended actions for employees in the event of privacy breaches.

The report also suggested the health authority institute a "need-to-know" policy, and set up one for employees looking up their own health information as soon as possible.

Also on HuffPost

11 Facebook Overshares That Got People Fired