Privacy & Security
Employees at hospital found to be selling health records
June 18, 2014
SCARBOROUGH, Ont. – Ontario’s privacy commissioner, Ann Cavoukian (pictured), is now investigating the breach of as many as 8,300 patient records at Rouge Valley Health System in Scarborough, just east of Toronto. According to the hospital, two employees had been leaking the records to outside companies that were paying for the data.
The patients were, for the most part, mothers who gave birth at the hospital between 2009 and 2013. The companies were calling to sell Registered Education Savings Plans, said Rouge Valley spokesperson David Brazeau.
“They say, ‘Do you have children? Do you want an RESP?’” Theeban Nanthakumar told The Toronto Star. Nanthakumar’s wife gave birth to three daughters between 2010 and 2013 at Rouge Valley.
Nanthakumar, who lives in Oshawa, said he continues to be inundated with calls from the companies and has saved the numbers on his cellphone contact list so he knows not to answer when the phone rings.
Three months ago he was one of thousands of patients who received a letter from the hospital explaining the privacy breach.
“We’ve apologized and informed as many patients as we could,” Brazeau said. “It’s something that should not have occurred.”
Brazeau said the patients’ contact information was turned over to private companies by two hospital employees. “The two employees were being paid by external companies, completely contrary to our hospital policy,” Brazeau said. “They worked for us, and then they had something on the side.”
Rouge Valley management first learned of the privacy breach in October 2013, when one of the employees involved in the scheme voluntarily came clean, Brazeau said.
The hospital launched an internal investigation and in December sent letters to 7,600 patients who may have been affected.
Three months later, the hospital realized there was a second leak after someone noticed patient records left on a printer, sparking a second investigation. The hospital uncovered the second employee in March 2014.
After a two-month investigation, the hospital sent letters to a further 699 patients in May. Brazeau said they don’t know if there’s any connection between the two staff members. The hospital chose not to go to the police, Brazeau said.
“We went to the two authorities that best apply,” Brazeau said. The Office of the Information and Privacy Commissioner and the Ontario Securities Commission are both investigating the affair.
Privacy commissioner Ann Cavoukian said in a statement the hospital had followed her office’s recommendations on what to do after such an incident.
“My office will review the hospital’s policies and procedures to ensure that it is complying with all of its responsibilities under the Personal Health Information Protection Act,” she said.
According to information on the privacy commissioner’s web site, “We have launched a major investigation into the incidents involving two staff members at Rouge Valley Hospital, who misused personal information for the purpose of selling Registered Education Savings Plans.”
The privacy commissioner continued: “So far we are satisfied that the hospital has responded to the breaches appropriately, for example, by terminating the staff involved.
However, as we continue the investigation, we will be looking at the steps taken to ensure that this does not occur again in the future. It appeared to be an isolated incident when first reported to us, but this is clearly not the case. My office will review the hospital’s policies and procedures to ensure that it is complying with all of its responsibilities under the Personal Health Information Protection Act.”
After news emerged of the privacy breach at Rouge Valley Health System, some speculated that similar breaches may be occurring at other hospitals. Ms. Cavoukian also responded to these claims: “We have also received a number of calls from members of the public and have read reports in the media of the possibility that this may be occurring in other hospitals in Ontario. No others are under investigation as of yet, but we will be reaching out to the hospitals mentioned, as part of our investigation. At the present time, we have no evidence to suggest that Rouge Valley Hospital employees had access to records relating to patients of other hospitals under a shared electronic health record. However, in our ongoing investigation, we certainly will be looking into this possibility.”
St. Michael’s Hospital launched its own internal investigation after hearing from a woman who was contacted by a private RESP seller after giving birth at the hospital, a spokesperson said.
“We’re trying to find out if any of her information was released in a manner that was unauthorized, how that happened,” said Leslie Shepherd, a spokesperson for the hospital.