Saskatchewan’s privacy watchdog says the medical information of 109 people was leaked because three doctors share the same last name.
One letter and 85 faxes were said to be “misdirected” to the office of Dr. Darcy Marciniuk (DM), according to an investigation report by Saskatchewan Information and Privacy Commissioner Ron Kruzeniski.
In some cases the faxes were intended for Dr. Jeffery Marciniuk. Both physicians practice in Saskatoon and have the same specialty.
“In one case, a fax should have been sent to Dr. Tanya Marciniuk who also practices in Saskatoon. The misdirected letter should have been sent to Dr. JM (Jeffery Marciniuk),” the report says.
Kruzeniski says the incident underscores privacy concerns around the widespread use of fax machines in the health system. He also pointed to three similar breaches in recent memory.
“In previous investigation reports, I have expressed serious concerns about the privacy risks that arise from the ongoing use of traditional faxes to send personal information and personal health information,” he said.
The leaked information included echocardiography reports, cardiology reports, hospital discharge records, lung function reports, ophthalmology reports, pathology reports, lab results, medical imaging results, patient care notes, referral letters and consultation notes, the report says.
In some cases, it also included a person’s name and health card number, in other instances an individual’s address, phone number, birthdate and gender.
The senders of the faxes included large organizations such as the Saskatchewan Health Authority (SHA) and Saskatchewan Cancer Agency, the report says. Other senders included clinics where multiple health care providers worked, other senders were sole practitioners.
Kruzeniski attributes the leaks to a variety of errors — unclear direction to administrative staff from a physician, the wrong or incomplete name provided by the patient, or the wrong sender chosen from the directory.
After discovering the error, DM says he redirected the faxes and mail to the intended recipients and notified those who sent him the information of the error.
He also reached out to the Saskatchewan Health Authority (SHA) privacy office in February of 2023 in an attempt to “address the problem informally.”
Kruzeniski writes that no one from the SHA privacy office returned his call.
The SHA told the privacy commissioner it has developed a new mandatory privacy training module to prevent similar breaches in the future.
Kruzeniski says the SHA’s new module appears to address the circumstances surrounding the breaches.
“However, additional measures are necessary to ensure that the need to protect privacy and confidentiality is at the top of mind for everyone processing personal health information,” the report says.
One of those additional measures is that the SHA provides privacy training to staff on an annual basis.
The full report from the Office of the Saskatchewan Information and Privacy Commissioner can be read here .