Privacy & Security
Retired doc’s patient records found in dumpster
January 4, 2023
PRINCE ALBERT, Sask. – A retired doctor who was careless with medical records that were meant to be shredded needs to notify former patients whose personal data might have been breached, Saskatchewan’s information and privacy commissioner says. Dr. Lalita Malhotra, a retired doctor in Prince Albert, did not undertake “adequate efforts” to contain or investigate the breach, and did not provide notice about it, Ronald J. Kruzeniski (pictured) wrote in a decision dated Dec. 5.
However, he added, she has taken appropriate steps to prevent further breaches of medical records that remain in her possession.
According to CBC News, in July, the office of the privacy commissioner’s office received a call from Crown Shred and Recycling in Prince Albert, notifying them that medical records had been found mixed in with regular recycling in the city about 135 kilometres northeast of Saskatoon.
The caller confirmed that records had been dumped at the facility by Greenland Waste Disposal, a locally owned waste management company that serves parts of central and northern Saskatchewan. The records came in through regular community recycling, the decision says.
On Aug. 3, three privacy office staff members went to the facility in Prince Albert to investigate the records, finding several that appeared to have come from Malhotra’s office, the decision says.
While they were there, Greenland dropped off a fresh load of recycling that contained even more medical records connected to the doctor’s office. The staff members compiled enough records to “likely fill” 55 or more banker’s boxes, the decision says.
The deputy information and privacy commissioner contacted Malhotra’s office. He left a message for the doctor, but eventually connected with the receptionist who confirmed that a medical office assistant – whom they wouldn’t name – had been disposing of patient medical records, but believed they had been taken to a place where they would be shredded, the decision says.
Malhotra returned the deputy commissioner’s call, explaining they normally would use confidential shredding with the pharmacy next to the clinic, but there was not enough room.
Malhotra said the office assistant and their partner disposed of the records in Greenland’s dumpsters, thinking they would be shredded, according to the decision.
Malhotra said she would be sending about 100 boxes of records to a facility in Ontario for secure storage, the decision says.
Kruzeniski found Malhotra did not do enough to contain the breach. Combined, the medical office assistant and their partner dumped 22 boxes of medical records in unlocked Greenland dumpsters from July 13 to Aug. 2. No documents were bagged or labelled, according to the decision.
When Greenland trucks drop off recycling at Crown Shred and Recycling, it’s left spilled on the facility’s floor, Kruzeniski noted, leaving the documents open for anyone to see, although there is no evidence that this occurred.
It’s also possible his office did not collect all the records that were put in the dumpsters, and they were shipped openly to another facility, which would aggravate the breach, he said.
Greenland Waste Disposal dumps recycling on the floor at Crown Shred and Recycling in Prince Albert, so the medical records could have been accessed by someone at the facility, the decision says. “The longer you go with records out of your physical custody or control, the harder it is to know exactly what happened to them,” Kruzeniski wrote.
Malhotra took some immediate steps to stop records from being taken to Greenland dumpsters after she was notified of the privacy breach, the decision says. However, it appears she did not take further steps, such as contacting the Crown Recycling and Shredding facility in Prince Albert to inquire about whether documents could have gone to other facilities, Kruzeniski wrote.
If the records had gone elsewhere, she could have followed up with them, he wrote, adding that as the trustee of those medical records, it was her duty to do so.
Kruzeniski also found that Malhotra did not do enough to protect the records, such as documenting them and giving proper instructions for their handling and disposal.
He also questioned why Malhotra did not use the confidential shredding service as her office had when destroying patient records during day-to-day operations. This should have been used for all records she was sending, he wrote.
Among the records involved were some for past patients – whom Malhotra hadn’t seen in years – and patients who have died, according to the decision. However, there were some recently dated records including some that contained COVID-19 test results.
As trustee of the documents, it’s best practice to notify those affected unless there are “compelling reasons” not to, the decision says. This should occur as soon as key facts of the breach have been established.
Malhotra might also find recent patients in the records obtained, he wrote, so she should notify the people she thinks she can. Malhotra replied she would try her best to contact the affected patients, but it might be difficult to find current contact information for many of them, so she has proposed announcing the breach in the local newspaper.
Kruzeniski agreed, but noted this should have been done before his office started investigating. He says the notification must include what happened, the type of information involved, a recognition of the possible effects of the breach and an apology.
Kruzeniski recommended that Malhotra notify individuals and the public through the newspaper within 30 days of his decision being issued. He also recommended that she follow through with her commitment to securely shred and store records that are not yet eligible for destruction by Jan. 31, 2023.