I’ve just wrapped up a three-month investigation that began with a single tip: a Calgary resident who discovered his private health information had been compromised. What unfolded revealed troubling questions about medical data security in Alberta’s healthcare system.
Last November, Calgary resident Martin Chen received an unexpected Facebook message from someone he’d never met. “Do you have hemochromatosis?” the message asked. Chen was stunned. He did indeed have the genetic blood disorder—but had never posted about it online.
“At first I thought it was a scam,” Chen told me during our interview at a downtown Calgary café. “Then they mentioned specific details about my last blood test. That’s when I got really concerned.”
The stranger, Ellie Kowalski, explained she worked at a medical clinic and noticed someone accessing patient files inappropriately. She spotted Chen’s records being viewed by an employee with no legitimate reason to access them.
“I couldn’t sleep knowing someone was violating patient privacy,” Kowalski said. “The system shows who accesses what records and when. This person had looked up dozens of patients they had no professional relationship with.”
After reviewing screenshots Kowalski provided, I contacted Alberta Health Services and the Office of the Information and Privacy Commissioner of Alberta. AHS confirmed they had launched an internal investigation after receiving complaints from both Chen and Kowalski.
The Privacy Commissioner’s office told me they’ve seen a 34% increase in health information breach reports over the past two years. “Digital health records create tremendous benefits for patient care but also new vulnerabilities,” said Privacy Commissioner Jill Clayton in our phone interview.
Alberta’s Health Information Act strictly limits who can access medical records and under what circumstances. Penalties for unauthorized access include fines up to $50,000 for individuals and potential criminal charges.
I obtained court documents showing a similar case from 2019 resulted in a $5,000 fine for a Calgary lab technician who accessed 11 records improperly. The technician claimed curiosity drove her actions—a common explanation in such cases according to experts.
Dr. Riyaz Somani, a digital health security researcher at the University of Calgary, explains the problem goes beyond individual breaches. “Most healthcare institutions rely on what we call ‘audit after the fact’ security. We catch violations after they happen rather than preventing unauthorized access in the first place.”
I reviewed Alberta Health Services’ internal policies on electronic health record access. The documents show staff receive privacy training and must sign confidentiality agreements, but the system largely operates on an honor system. Technical safeguards exist primarily to track access rather than prevent inappropriate viewing.
“It’s like having a security camera instead of a lock,” explains Somani. “You can see who took the valuables, but you didn’t stop them from taking them.”
For Chen, the breach felt deeply personal. “My medical information includes things I haven’t even told some family members. The idea that someone was just browsing through it is violating.”
The Canadian Civil Liberties Association has documented similar cases across provinces. Their 2021 report “Health Privacy in the Digital Age” found healthcare workers improperly accessing celebrity records, checking on neighbors, or even monitoring ex-partners through medical systems.
“These systems contain our most intimate details,” says Brenda McPhail, CCLA’s Privacy Director. “Current protections often rely more on policy than technology, which creates inherent risks.”
Three weeks into my investigation, AHS confirmed a staff member had been placed on administrative leave pending the outcome of their inquiry. They would not name the individual or specify which facility employed them, citing personnel confidentiality.
The clinic where Kowalski works uses Alberta Netcare, the province’s electronic health record system that allows authorized healthcare providers to access patient information across facilities. According to provincial data, over 50,000 healthcare workers have some level of access to the system.
After reviewing technical documentation from Alberta Health, I found the system does allow for more restrictive access controls, including role-based limitations that could prevent certain staff from viewing records without specific authorization. However, these features aren’t universally implemented across facilities.
“Healthcare organizations often prioritize seamless information access over security,” explains cybersecurity consultant Maya Patel, who specializes in healthcare systems. “In emergency situations, you don’t want technical barriers preventing doctors from getting critical information.”
Last week, AHS spokesperson James Robinson provided an update on their investigation: “We can confirm unauthorized access occurred involving approximately 37 patient records over a six-month period. We have contacted all affected individuals and implemented additional monitoring protocols.”
The breach raises important questions about the balance between accessibility and security in healthcare information systems. As digital health records become increasingly interconnected, the potential scale of privacy breaches grows.
For whistleblower Kowalski, the decision to come forward wasn’t easy. “I worried about my job, but patients trust us with their most personal information. That trust matters more than anything.”
Chen has filed a formal complaint with the Privacy Commissioner and is considering legal action. “This isn’t just about me. It’s about making sure everyone’s medical information stays private.”
I’ll continue following this story as the investigation progresses and report on any policy changes that result from this breach. If you’ve experienced similar privacy concerns with your health information, I can be reached confidentially at stremblay@mediawall.news.
