Sask. privacy commissioner calls health authority's response to faxed data breaches inadequate

Saskatchewan's privacy commissioner is urging the provincial health authority to part ways with fax machines after investigating numerous privacy breaches involving the dated method of communication.

The commissioner's office has investigated approximately 42 incidents of misdirected faxes by the Saskatchewan Health Authority (SHA) since 2018.

The SHA did not adequately respond to two recent data breaches where staff sent private information to random recipients rather than the intended health-related professional, according to latest report on the issue from Saskatchewan's information and privacy commissioner Ron Kruzeniski.

Information was sent to the Town of Gravelbourg and the Parole Board of Canada, according to the investigative report from Kruzeniski, dated Nov. 28, 2022.

The privacy commissioner was notified of the data breaches because the organizations reported receiving the information his office.

After investigation, Kruzeniski determined that the SHA didn't do an adequate job of notifying the affected people, nor did it take adequate steps to prevent further breaches.

He also noted that, since January 2022, he has issued seven investigation reports involving misdirected faxes. Kruzeniski said the SHA does not report all errors to his office, so he doesn't know how many more breaches occurred.

"I have serious concerns about the privacy risks that arise from the ongoing use of faxes to send personal information and personal health information," he wrote.

He has previously recommended that the SHA proactively report all misdirected fax breaches to his office so they can track and report publicly on the progress of "SHA's efforts to address the privacy risks and bring some transparency and accountability to its work to address this problem." 

"SHA has stated that it does not agree with this recommendation." 

The town of Gravelbourg notified the commissioner's office on June 15, 2022, that it had received information from the Maple Creek public health office.

The town reportedly destroyed the information and the commissioner's office commenced an investigation.

The SHA did not notify the person whose privacy was breached until the end of August. According to the report, the SHA stated it attempted to call the person before that, but had no luck.

"SHA should not have waited two months before mailing the written notice," Kruzeniski wrote.