Employee claimed access ‘out of compassion’ for co-workers
A Saskatchewan Health Authority (SHA) employee has been terminated after improperly accessing the personal health information of 98 individuals over nearly a year, according to a report by the Saskatchewan Information and Privacy Commissioner.
Marianne Mann, a unit clerk at Dr. F.H. Wigmore Regional Hospital in Moose Jaw, accessed patient records in the Sunrise Clinical Manager database 102 times between July 2024 and June 2025 without legal authority, the report stated.
The breach came to light on April 23, 2025, when a colleague reported that Mann had approached them with specific questions about their pregnancy, which had been kept private, according to the commissioner’s investigation.
“The witness was upset and correctly believed that only a breach of privacy could account for the snooper’s knowledge,” the report said.
Inappropriate access to health records
SHA audits revealed Mann accessed records of co-workers and family members, including patients who had already been discharged. In one case, Mann admitted to texting a family member about another relative’s hospital admission.
Mann also accessed her own medical records twice without the required “need to know” authorization.
“I was totally in the wrong for checking my co-worker’s record but I did it out of compassion as I genuinely care about my co-workers,” Mann wrote in a submission to the commissioner’s office.
Breach ‘not adequately’ contained
The health authority suspended Mann on June 16, 2025, and terminated her employment on July 2, 2025. However, commissioner Grace Hession David found SHA did not act quickly enough to contain the breach.
Despite identifying suspicious activity during a May 15, 2025 audit and Mann’s admissions at a May 30 meeting, the authority did not suspend her system access until June 19, the report noted.
“SHA did not adequately contain the privacy breach as soon as it could have,” David stated.
The commissioner praised SHA for notifying affected individuals promptly and maintaining privacy training programs. However, the investigation found insufficient proactive auditing safeguards.
David recommended that SHA immediately suspend user accounts when inappropriate access is suspected and implement proactive monitoring of the Sunrise Clinical Manager system.
No formal complaints despite breach
The commissioner declined to refer the matter to Saskatchewan’s Attorney General for prosecution, citing Mann’s termination and minimal harm to affected individuals.
No formal complaints were received from any of the 98 people whose records were accessed.
“The root cause of this privacy breach is a snooper who failed to adhere to administrative safeguards,” the report concluded.
