Hospital employee snooped in 98 patient records, privacy commissioner finds – DiscoverMooseJaw.com

Saskatchewan Information and Privacy Commissioner Grace Hession David found that a privacy breach involving an employee at the Dr. F.H. Wigmore Regional Hospital did take place. 

The decision found that a unit clerk in the emergency department inappropriately accessed their own health records as well as the records of 98 other people a total of 102 times between July 2024 and June 2025. 

The commissioner said that, in at least two instances, the employee shared what they had learned from those records with others, including telling a co-worker about private health information and texting a family member about another relative being admitted to hospital. 

The Saskatchewan Health Authority became aware of the breach when the employee approached a co-worker and asked about information related to a recent hospital stay that had been kept strictly private. 

The conversation was reported to a manager, who believed a privacy breach had occurred. 

Why it was a privacy breach 

Under Saskatchewan law, health-care workers may only look at patient information if they need it to do their job. Curiosity, concern or personal interest is not permitted, including accessing one’s own record. 

The commissioner found the employee was snooping and had no legal authority to view their own health information in the system, access the information of 98 other people, discuss a co-worker’s private medical information or share patient information with family members. 

In response, the Saskatchewan Health Authority investigated the complaint, conducted a detailed audit, and suspended and then fired the employee. 

The authority also notified all affected individuals in writing, reported the breach to the privacy commissioner, and added stronger privacy training and confidentiality agreements. 

The commissioner noted that the authority did not suspend the employee’s access quickly enough, allowed access for longer than necessary after warning signs appeared, and did not have a proactive audit system that might have detected the snooping earlier. 

The commissioner found the employee knowingly and deliberately violated the law despite completing multiple privacy training sessions, signing confidentiality pledges, and knowing there were clear rules restricting record access without a need to know. 

In submissions to the commissioner, the employee admitted they knew accessing the records was wrong. 

“I was totally in the wrong for checking my co‑workers record but I did it out of compassion as I genuinely care about my co‑workers,” the employee wrote to the privacy commissioner. 

The employee admitted they were “a fool” and should have “kept my mouth shut,” and said they did not mean to upset their co‑worker and apologized for their actions. 

Case not referred for criminal charges 

The commissioner decided not to refer the case to the Attorney General to pursue charges, citing the employee’s termination, the lack of formal complaints from affected individuals, limited harm, and the cost of prosecution relative to the public interest. 

Two recommendations were issued by the commissioner. David recommended the authority immediately suspend access to records when there are signs of inappropriate record viewing and introduce proactive monitoring and auditing of electronic health records to detect snooping earlier. 

You can read the whole report from the Privacy Commissioner here.