A strange case made public by the NWT’s information and privacy commissioner details a nurse first denying they accessed their own medical records, then admitting it and being disciplined.
In a report dated August 15 but only made more broadly available this week, commissioner Andrew Fox described a case involving a nurse in a Tłı̨chǫ community. The nurse and community are not identified.
On October 28, 2024, Fox stated, the Tłįchǫ Community Services Agency became aware of evidence that the nurse had viewed their own electronic medical records.
While someone reading their own medical information might not raise some residents’ eyebrows – certainly compared to other breaches – Fox said an employer banning that kind of action makes sense, even if the legislation doesn’t directly deal with such a scenario.
The end user agreement employees must sign to use the records system states, in part: “I understand that accessing my own health record is inappropriate.”
Advertisement.
Advertisement.
“Prohibiting employees from accessing their own personal health information directly helps the health information custodian to protect the security and integrity of the information stored in the EMR,” Fox wrote, using an initialism for electronic medical records, “and to ensure that the legal requirements and exceptions applicable to individuals seeking access to their personal health information are complied with.”
The gap in the legislation wasn’t the only odd circumstance of the case.
According to Fox, the nurse first denied accessing his file and asserted he had been hacked.
TCSA, which appears not to have believed that response, issued two disciplinary “letters of reprimand” for a privacy breach and ordered him to complete privacy training while raising the matter with the nurses’ regulatory body.
Advertisement.
Advertisement.
Eventually, in March 2025, the nurse received his own copy of an audit of his records and altered his stance, telling TCSA – in Fox’s words – that he “did not recall accessing his own EMR but agreed that the report showed that he had.”
The nurse subsequently wrote directly to Fox to report the breach.
In finding that the nurse had indeed accessed his own records without authorization, Fox criticized TCSA for having left the initial audit that uncovered the incident – sent by the NWT’s Department of Health and Social Services – unopened for five months before eventually reading it in October 2024 and taking action.
“I can only observe that TCSA was ‘lucky’ that the notice of unauthorized use did not involve a more serious matter,” Fox wrote.
Otherwise, he added, TCSA responded appropriately, though he suggested privacy training must be delivered at the earliest possible opportunity. In this instance, the nurse did not receive that training until he had spent nearly two years in the role.
Lastly, Fox enigmatically stated: “I will note that this incident was a small part of a larger set of circumstances that collectively have been a significant drain on TCSA’s resources. It is clear that TCSA requires additional support to address the underlying issues that contributed to this breach.”
Related Articles