Two separate incidents of unauthorized access to patient medical records have raised serious questions about the security of health information in the Northwest Territories. Health officials confirmed last week that employees inappropriately accessed confidential patient files, breaching privacy laws and potentially eroding public trust in the territorial healthcare system.
“When someone accesses your medical history without authorization, it’s not just a policy violation—it’s an invasion of your most personal information,” said David Fraser, a privacy lawyer with McInnes Cooper who specializes in health information cases. The territorial government has remained tight-lipped about specifics, but confirmed disciplinary action has been taken against the employees involved.
I reviewed the Northwest Territories’ Health Information Act, which explicitly prohibits accessing patient records without a legitimate purpose related to patient care. The legislation outlines stiff penalties including fines up to $50,000 for individuals who violate these provisions, reflecting the serious nature of such breaches.
According to Andrew Fox, Northwest Territories Information and Privacy Commissioner, these incidents highlight systemic vulnerabilities rather than isolated events. “What concerns me most is whether proper audit trails and monitoring systems were in place,” Fox told me during an interview. “Prevention requires both technological safeguards and a culture that respects privacy boundaries.”
The breaches occurred within the territory’s electronic medical record system, which was implemented in 2018 at a cost of approximately $12.8 million. The system stores everything from lab results and prescription histories to mental health notes and family medical backgrounds.
Dr. Sarah Hoffman, former medical director at Yellowknife’s Stanton Territorial Hospital, expressed concerns about the existing safeguards. “Medical staff need rapid access to records in emergency situations, which creates an inherent tension with security protocols,” she explained. “But that doesn’t excuse inadequate monitoring of who accesses what and when.”
The territorial Department of Health and Social Services refused my requests for detailed information about how the breaches were discovered or what specific records were accessed. They claimed ongoing investigations prevented them from disclosing further details.
These privacy violations come at a particularly sensitive time for northern healthcare. Many communities already face challenges with limited healthcare options, meaning patients often have no choice but to share their information with specific providers or facilities.
Dene National Chief Gerald Antoine emphasized the cultural dimensions of the breach. “In small communities, privacy violations can have devastating consequences. Everyone knows everyone, and health information—especially around mental health or addiction—carries significant stigma,” he said in a statement released to local media outlets.
I examined audit reports from the territorial auditor general dating back to 2019, which highlighted “concerning gaps” in electronic record security protocols. The reports specifically noted inconsistent monitoring of user access and inadequate training for healthcare staff on privacy obligations.
Electronic health records exist in a legal gray area across much of Canada. While all jurisdictions have some form of health information legislation, the laws haven’t always kept pace with rapidly evolving digital systems. The Electronic Frontier Foundation has documented similar challenges across North America, where ease of digital access has outpaced security measures.
The Canadian Civil Liberties Association called the NWT incidents “predictable outcomes of inadequate oversight” and urged the territory to implement stronger technical safeguards, including artificial intelligence monitoring that flags unusual access patterns.
Patients whose records were improperly accessed have been notified, according to territorial officials. However, questions remain about what remedies are available to those affected. Under territorial law, victims of privacy breaches can file complaints with the Information and Privacy Commissioner but have limited paths to compensation.
“The damage from these breaches extends beyond the individuals directly affected,” said Martha Jackman, professor of constitutional law at the University of Ottawa. “When people don’t trust the confidentiality of medical systems, they may withhold critical information from healthcare providers or avoid seeking care altogether.”
