Full Report
Shawn Slaght reports: Saskatchewan Information and Privacy Commissioner Grace Hession David found that a privacy breach involving an employee at the Dr. F.H. Wigmore Regional Hospital did take place. The decision found that a unit clerk in the emergency department inappropriately accessed their own health records as well as the records of 98 other people... Source
Analysis Summary
# Incident Report: Unauthorized Internal Access to Patient Health Records
## Executive Summary
An insider threat incident occurred at the Dr. F.H. Wigmore Regional Hospital involving a unit clerk in the emergency department. This employee inappropriately accessed their own medical records and the records of 98 other individuals over a period spanning nearly a year. The incident was ultimately adjudicated by the Saskatchewan Information and Privacy Commissioner, who found that access controls and auditing failed to prevent or promptly detect the unauthorized snooping, which also included sharing patient information outside authorized channels.
## Incident Details
- Discovery Date: Sometime after June 2025 (determined through investigation leading to the Commissioner's decision)
- Incident Date: Between July 2024 and June 2025 (Period of unauthorized access)
- Affected Organization: Dr. F.H. Wigmore Regional Hospital
- Sector: Healthcare
- Geography: Saskatchewan, Canada
## Timeline of Events
### Initial Access
- Date/Time: Access initiated July 2024
- Vector: Authorized User Access (Insider Threat)
- Details: A unit clerk in the emergency department used their legitimate credentials to access the Electronic Health Record (EHR) system.
### Lateral Movement
- N/A: This was primarily vertical activity (using legitimate access for unauthorized purposes) within the boundary of the employee's authorized role, not network lateral movement.
### Data Exfiltration/Impact
- Date/Time: Throughout the incident period (July 2024 – June 2025)
- Details: The unit clerk accessed 102 records in total, including their own and 98 others. In at least two confirmed instances, the employee shared private health information (PHI) externally: once by telling a co-worker, and once by texting a family member about a relative's hospital admission.
### Detection & Response
- Detection: Auditing/monitoring eventually flagged the excessive or inappropriate access, leading to an investigation and subsequent decision by the Privacy Commissioner.
- Response Actions: The Commissioner noted that the authority "did not suspend the employee’s access quickly enough" and "allowed access for longer than necessary after warning signs appeared." Specific immediate organizational response details are not fully detailed beyond the eventual review by the OPC.
## Attack Methodology
- Initial Access: Authorized System Credentials (Insider)
- Persistence: Continued employment with authorized access privileges.
- Privilege Escalation: N/A (Activity occurred within job-authorized system access levels, but beyond permission scope).
- Defense Evasion: The lack of a proactive audit system allowed the snooping to continue undetected for nearly a year.
- Credential Access: N/A (Used own authorized credentials).
- Discovery: N/A (Internal user exploiting existing access).
- Lateral Movement: N/A.
- Collection: Directly viewing and noting content within EHRs.
- Exfiltration: Verbal disclosure to co-worker; textual sharing (SMS/texting) to family member.
- Impact: Unauthorized viewing and disclosure of Protected Health Information (PHI).
## Impact Assessment
- Financial: Not specified in the summary.
- Data Breach: Access to 99 unique individuals' Protected Health Information (PHI), involving 102 total access instances.
- Operational: Potential erosion of trust in the EHR system's security controls. Staff disciplinary actions likely occurred.
- Reputational: Negative findings published by the Saskatchewan Information and Privacy Commissioner (Grace Hession David).
## Indicators of Compromise
- Behavioral Indicators: Excessive access to records outside of direct job duty scope; repeated accesses to personal or specific named patient files; unauthorized external communication (texting) regarding patient status.
- Network Indicators: N/A (Primarily system usage logs).
- File Indicators: N/A.
## Response Actions
- Containment measures: Access was likely restricted after warning signs appeared, but the Commissioner noted this was too slow.
- Eradication steps: Employee access was likely terminated following the conclusion of the internal/commissioner investigation.
- Recovery actions: Not specified, but standard recovery would involve re-training and process reviews.
## Lessons Learned
- **Inadequate Auditing:** The organization lacked a proactive audit system capable of detecting inappropriate access patterns early.
- **Slow Remediation:** Warning signs were noted, but the suspension of the employee's system access was delayed, allowing the breach to continue for an extended period.
- **Insider Risk Visibility:** Internal processes failed to enforce the principle of least privilege effectively for data viewing, even if the user had legitimate access rights to the system itself.
## Recommendations
- Implement a proactive, automated auditing system focused specifically on monitoring EHR access patterns for unusual activity (e.g., accessing records of friends, family, or high volume of non-assigned patients).
- Establish and strictly enforce clear policies regarding immediate access suspension or restriction upon identifying definite warning signs of inappropriate data access.
- Conduct mandatory, recurrent specialized training for all staff handling PHI regarding acceptable use policies, focusing on the personal risks of browsing records not directly related to current patient care.