The information and privacy commissioner’s report said the nurse had to click through warnings verifying their need to look at the information on some of the files. (650 CKOM)

By Lisa Schick/CKOM News Staff

Sask. children’s hospital nurse fired after snooping on 314 patients

May 5, 2025 | 4:07 PM

A maternity ward nurse at the Jim Pattison Children’s Hospital in Saskatoon was left without a job after snooping on the medical records of 314 people.

The province’s privacy commissioner has more recommendations for the health authority.

According to then-Information and Privacy Commissioner Ronald J. Kruzeniski’s report, the registered nurse had worked one day a week from home, but took a leave of absence from work in August 2021 that ended up totalling 16 months.

In the first three and a half months of that time, the nurse used their Saskatchewan Health Authority (SHA) issues laptop to snoop through the electronic records system used for maternal services and the clinical manager system, to look at 2,437 medical records for 314 people, including six colleagues.

The nurse didn’t respond to Kruzeniski’s notification that his office was investigating, but his report said the health authority’s investigation found the nurse had no good reason to go looking through the records.

Broadway School update

Broadway School building and land to be sold soon: SHA

39m ago

municipal politics

Air Ronge council approves balanced budget

1h ago

No arrests made

Police investigating non-fatal shooting

2h ago

In the report, Kruzeniski explained some of the medical records had warnings on them, which popped up before they allow a person to access them, asking them either if they had a real reason to access it, or what the reason was. The nurse didn’t have a good reason, but clicked through the pop-ups despite the warning.

According to the commissioner’s report, the SHA discovered the unauthorized accesses in December 2021 and disabled the nurse’s user account and access.

The investigation didn’t begin until October of 2022 and the nurse wasn’t interviewed about it until they returned to work in January 2024.

Kruzeniski said he was told the authority couldn’t interview them until they returned, but said the authority couldn’t point to any specific policy or provision in the collective bargaining agreement which stated that.

The nurse was fired in March 2024.

The privacy breach was reported to the information and privacy commissioner’s office in August 2024, just a few days before notifications were sent out to those whose medical records were accessed by the nurse.

In his report Kruzeniski pointed out this was five and a half months after the health authority had determined a privacy breach had occurred, and about two years after the breaches actually happened.

The commissioner found in this case that the SHA didn’t take reasonable steps to contain the privacy breach, but that it’s notices to the people whose privacy was breached weren’t adequate. He said they should have offered more information, should have included the nurse’s name and the fact they’d been fired and information on how to get a new health card number, if wanted.

Kruzeniski also found the SHA conducted an adequate investigation into what happened, but that plans to prevent a future breach aren’t adequate and that the SHA’s actions and policies mean it didn’t comply with Health Information Protection Act (HIPA).

The commissioner said employees should get privacy training and have to sign a pledge every year — which may or may be happening, depending on the answer Kruzeniski got. He said the SHA also needs to consider the need to reduce access to systems for people on extended leave and getting back IT equipment, like laptops, from those employees.

Kruzeniski said he has a lot of concerns about snooping in health care, he has written many reports about it and even wrote a blog post about it ten years ago. He said progress has been made but there is still a concerning amount of snooping going on.

“I cannot overstate how important it is for Saskatchewan’s trustees to make every reasonable effort to ensure that those who are tempted to snoop are not successful and that personal health information is protected,” wrote Kruzeniski in the report.

To that end, the commissioner recommended, as he has previously, that the health authority implement random and focused audits on employee’s accessing of records. He said the SHA recently said it’s working on building standard auditing processes but there’s nothing in place now.