Nurse Violates Privacy of 5,800 Patients

Veriphyr proactively reports impermissible use of PHI the first time it happens.

Violation Motivated by Curiosity

A nurse at North Bay Health Center in Ontario was the first person to be charged under the Personal Health Information Privacy Act (PHIPA). The hospital found her guilty of 5,800 violations of patient data over six years. Consequently, the hospital revoked her nursing license and suspended her for four months (a).

In the United States, violations of HIPAA has lead to fines, and in some cases, prison time.

The nurse looked at visit histories, prescribed drugs, lab results, and other information a nurse typically uses to perform her job. However, the nurse was not part of the circle of care for these patients, and therefore had no legitimate reason to access the medical records.

According to the official report, the nurse was caught after another employee of the hospital was admitted as a patient. This employee was surprised by the fact that a number of other employees were aware of her admission. As a result, a more careful audit was done of access to this employee’s personal health information (PHI), and the name of the nurse in question arose (b).

The nurse’s acting manager testified,

“She told me that she looked her up for no particular reason. She doesn’t know the patient and had no malicious intent by looking her up… she looked up other patients as well” (b).

As required by PHIPA, the hospital has contacted each affected patient to inform them of the breach of their personal health information and reported the incident to the Information and Privacy Commission of Ontario (c).

Additionally, the hospital has committed to do more rigorous audits, improve protections for PHI, and provide more training about privacy to employees (c).

The recent passing of The Digital Privacy Act in Canada will require even more rigorous response by the hospital.


The Value of Automated Audits

Numerous other hospitals have had to deal with snooping employees in recent years. In each case, the information accessed could include names, addresses, dates of birth, Social Security numbers, and medical history and records.

In 2016, a nurse at Glendale Adventist in LA breached the privacy of 528 patients. This breach was discovered during a routine audit, and resulted in her termination (d).

Shortly before that, Wayne Memorial Hospital in Pennsylvania fired a nurse aid for snooping into the records of 390 patients. The hospital was unaware until another employee filed a report (e).

Automated audits, such as those performed by Veriphyr, could help hospitals identify cases of impermissible use the first time they happen.

Download a white paper on patient privacy audits as an automated service. Learn how Veriphyr proactively identifies unauthorized breaches of patient privacy, even by nurses, doctors, and other authorized users.



(a) The Star, May 12, 2016

(b) North Bay Health Centre v Ontario Nurses’ Association, 2012

(c) SC Media

(d) Los Angeles Times, December 2, 2016

(e) HIPAA Journal, February 1, 2016