'Oh, he's still alive': Sask. pharmacy student caught snooping on medical records of 114 people

A fourth-year pharmacy student interning at a pharmacy in Regina was arrested for rummaging through the medical records of 114 people who were not under his care.

According to a recent report by the province's privacy commissioner, Ron Kruznicki, the University of Saskatchewan student, who worked at Hill Aveno Drugs, had access to the patients' records through the Pharmaceutical Information Program (PIP) and Electronic Health Record (eHR) viewer.

The student was dismissed by the pharmacy, and Kruznicki says the University of Saskatchewan's College of Pharmacy and Nutrition, eHealth Saskatchewan and the Ministry of Health did not properly address the violations in accordance with the four best practice steps.

This student's appointment at the pharmacy started on May 6, 2024 and continued until he was kicked out of the building on June 25.

According to Kruznicki, a pharmacist saw the student talking to himself and allegedly said, "Oh, he's still alive."

"The student was asked who he was investigating and he quickly rattled off a number of patient searches. After an audit, it was determined that the student was examining patients who were not customers/patients of the pharmacy. This robbery started five days after the student's appointment started.

According to the document, Student's access to PIP and eHR was revoked on June 26 and 27, but it is not clear whether paper copies were made of inappropriate information.

Kruznicki says letters were sent to 109 people in July notifying them that their information had been improperly accessed. It has been confirmed that five of the people whose information was accessed have died.

In total, Kruznicki offered four recommendations for better handling similar privacy breaches in the future.

These recommendations were:

Within 30 days of the issuance of this investigative report, the University of Saskatchewan will amend its student engagement agreement with Mr. Gilbertson and all future trustees to clarify how privacy breaches are handled and the expectations/responsibilities of the University of Saskatchewan and trustees in such circumstances.
Within 30 days of the issuance of this investigation report, Mr. Gilbertson shall develop policies and procedures in accordance with Section 16 of HIPA. These policies and procedures should include monitoring and auditing of student access to the PIP and eHR viewer on site.
Henceforth, eHealth will only provide access to the eHR viewer under the license of the APO associated with the site, not the University of Saskatchewan (except for hospital-based rotations).
Within 30 days of the issuance of this research report, the University of Saskatchewan, Health and eHealth will review the current understanding of oversight responsibilities, the protection of personal health information in the systems, and each party's role in the event of a privacy breach with future appointments. These understandings should be in writing in contracts or policies and procedures so that all parties are clear.
news source