Gary Dickson said his office investigated three disturbing cases from 2008 to 2010 where workers covered by the Regina Qu'Appelle Health Authority improperly accessed the health records of other workers.
In one case, an employee at the Regina General Hospital heard that a co-worker had been receiving health services. She looked up the co-worker's records and displayed them on a computer screen while other workers looked over her shoulder.
At the time, no one present suggested there might be something wrong with that, although the worker later confessed to the co-worker.
In a second case, when a lab employee went into her own medical information, she found that someone had altered her electronic records.
"She discovered that her name, sex, and infectious disease information ... had been changed. Her name was replaced with vulgarities and the acronym 'RIP' appeared in her file," the privacy commissioner's report said.
It was later found that another employee in the health authority had accessed her records seven times.
The third case involved an employee whose husband was involved in a custody dispute with his ex — who also worked in the health region.
The ex accessed the employee's medical records for reasons the health regions said "appear to be intentional, malicious and for personal gain."
Some of the the cases involved suspensions and other disciplinary measures. In one case an employee was fired, but she was later rehired after a labour arbitration.
Dickson said the three cases seem to point to a widespread problem.
"It appeared to my office that perhaps the unauthorized viewing of personal health information involving electronic information systems at [the health region] was becoming a chronic issue," the report said.
Dickson also said the health authority was generally proactive in looking into the complaints, although it didn't clamp down on what was going on even after being alerted about the first case in 2009.
'Everybody does it', worker says
It appeared there was a culture of "everybody does it" that seemed to be at work in the health region, the report said.
Diane Aldridge, director of compliance for Dickson's office, noted Tuesday that workers who nose around in confidential files could face serious consequences whether or not their intentions are malicious.
"Why they're accessing the information isn't really that important," Aldridge told CBC News. "It's about patient confidence, not only in the electronic health record but in the system itself."
Aldridge echoed Dickson's observation that the breaches seemed to be commonplace, according to their investigation.
"[An] employee was asked why she looked at the information [and] she said it was curiosity and boredom and everybody does it," Aldridge said.
Dickson is calling for action to make the system more secure and to stop employees from repeating these kinds of intrusions.
For example, health-care workers who log on to a computer and access medical records shouldn't just walk away when they're done, he says — they must log off so no one else can get into secure areas.