An Ontario hospital has fired a nurse who was found to have been improperly accessing the protected health information of some 1,300 patients for more than nine years.

The 106-bed Norfolk General Hospital dismissed the employee in March after receiving a call from a former patient who expressed concern that their protected health information was known in the community, population of some 14,700. The individual was "basically hearing from other neighbors and friends and people in the community things that would be on their medical file," NGH spokesperson Janine Van Den Heuvel told Healthcare IT News.

Following an investigation, hospital officials discovered the nurse had violated Canada's Personal Information Protection and Electronic Documents Act, or PIPEDA, by accessing patients' electronic medical records on several occasions dating as far back as 2004. "We don't know why she was accessing the files inappropriately," said Van Den Heuvel, but that information will be released upon the conclusion of the arbitration process.

The information accessed included patient names, dates of birth, phone numbers, health card numbers, physician, next of kin and clinical reason for visit.
"We sincerely apologize for this occurrence and for any concerns this may cause," reads an Aug. 12 NGH notice.

The hospital has increased the number of random audits on multiple users, according to hospital officials. "We have conducted random audits on 15 users over the past three weeks. We will be looking at other ways we can improve our auditing," the notice read.

Patients were notified of the breach Aug. 8.

Unlike the U.S. Office for Civil Rights, the HHS sub-agency responsible for investigating HIPAA privacy and security violation complaints, the Office of the Privacy Commissioner of Canada  -  which investigates complaints  -  has limited enforcement power.

The office cannot order compliance, levy fines, award damages or require organizations to report breaches; organizations aren't even required to notify affected patients  -  all of which have prompted many officials to call for reform  -  even Canada's privacy commissioner herself.

"The enforcement model provided under PIPEDA appears increasingly out of date," wrote Privacy Commissioner Jennifer Stoddart in a May 2013 report on reforming PIPEDA. "With other jurisdictions continuing to move towards granting their data protection authorities the power to award damages, administer fines, make orders, and/or require organizations to report serious breaches, Canada needs powers comparable to those in other jurisdictions in order to have meaningful impact on privacy protection."

The Canadian government has records of more than 3,100 breaches from 2002 to 2012, but only 399 were reported to Stoddart's office, according to a report by the Huffington Post Canada.

The report highlights more than 1 million people who had their private information accessed inappropriately, lost or stolen when held by government agencies. "It looks like the Privacy Commissioner has been kept in the dark through most of it  -  and the government doesn't seem to know how many people have been affected," said Charlie Angus, New Democratic Party Member of Parliament, to Huffington Post back in April. "That is the concerning part of it."