Privacy breach disclosed at The Ottawa Hospital

OTTAWA – The Ottawa Hospital discovered that the records of 30 patients were improperly accessed in 2018. The breach was discovered during a routine privacy check earlier this year.

Among those patients are members of the family of late Ottawa philanthropist and businessman Peter Foustanellas, for whom an endocrine and diabetes centre at the hospital and an auditorium at the University of Ottawa Heart Institute are named.

His widow, Eva Foustanellas (pictured), and her four adult sons received letters in July from the hospital’s privacy officer, Anne Lavigne, notifying them of the privacy breach and offering an apology.

According to a report in the Ottawa Citizen newspaper, Lavigne wrote that an employee of the hospital inappropriately accessed the family members’ health records beginning earlier this year. In the case of Eva, the employee did so three times.

The former employee has been fired, Lavigne wrote, saying the hospital “dealt with her swiftly and appropriately.

“(The employee) was not part of your circle of care. There was no legitimate reason for her to view your personal health information,” Lavigne wrote to George Foustanellas.

“She advised us … that she accessed your file for her own purposes. We have no information to suggest that she copied your personal health information or disclosed it to anyone.”

The former employee is known to the Foustanellases through a family connection, which, they say, added to the shock of the news that their privacy had been breached.

The Citizen tried to contact the former employee several times. A person who said they were speaking on her behalf said she was too distraught to talk to a reporter about the case.

George Foustanellas said the breach has caused him anxiety, imagining people “know every detail of my health records since birth.

“People feel when they go to a hospital their most intimate details about their personal health are being vigorously protected.”

Eva said she was upset by the news. “I don’t understand why she wanted to check everybody’s health records.”

Spiros Foustanellas, another of Eva’s sons whose records were accessed, said the privacy violation has devastated the family. He asked why the hospital doesn’t have a better control system in place around who can access files.

“The hospital has to know that people have to be protected.”

The hospital’s privacy officer wrote to the family that the hospital is “committed to protecting the privacy, confidentiality and security of the personal health information with which you have entrusted us. We ensure that all staff members are trained on their privacy obligations, and provide ongoing awareness materials to remind them of those obligations.”

Under provincial legislation, hospitals and other organizations that handle health information are required to take reasonable steps to ensure that personal health information in its custody or control is protected against theft, loss and unauthorized use or disclosure, according to a statement from the Office of the Information and Privacy Commissioner of Ontario.

The spokesman for the provincial office said it is working with The Ottawa Hospital to assess the situation.

A hospital spokesperson said it has sent notification letters to all patients involved in the privacy breach.

“The Ottawa Hospital is committed to protecting patient privacy and patient information, and regularly conducts privacy checks to ensure the hospital adheres to the obligations of the Personal Health Information Protection Act (PHIPA) and other legislation. Staff are only authorized to access patient health information when it is in the scope of their work-related duties,” the hospital said in a written statement.

The hospital said it uses a wide range of privacy controls, including locked cabinets, usernames and passwords and “role-based access across our systems.”

The approach is consistent with other hospitals and provincial legislation, said the spokesperson, and it ensures staff who provide care have access to information they need while protecting privacy. The hospital said access to information is limited to authorized individuals and enforced through regular privacy checks.

Peter Foustanellas, who founded Argos Carpets, Olympia Homes and other businesses which are now run by his family, donated more than $20 million to various hospitals in the Ottawa area during his lifetime. He died in 2017.