By Lee Griffi, Local Journalism Initiative ReporterThe Woodstock Hospital has released some details about a privacy breach that occurred between January and May of this year. The organization released a statement on social media late last week and has sent letters to 56 patients who had their privacy breached.
“At Woodstock Hospital, we are committed to safeguarding our patients' personal health information and take any breach of privacy very seriously.”
It went on to say through its regular auditing processes it identified an employee viewing patients' health information without a valid work-related reason.
“Through our investigation, we confirmed that this was, indeed the case, and this employee no longer works at our organization. As per Ontario’s Personal Health Information Protection Act, we reported it to Ontario's Information and Privacy Commissioner and notified the patients impacted by this incident.”
It added several measures are in place to protect patient health information.
“These include monthly audits, with both targeted and random checks, to ensure compliance with privacy standards. Access to patient information is also carefully monitored and controlled based on the specific needs of each staff member’s role. We sincerely apologize to the patients affected by this breach.”
Woodstock resident Ryan Purdy is one of the 56 people affected by the privacy breach. He is questioning the hospital’s public statement as the person accused of accessing patient records without cause did so while “several measures are in place to protect health information.” The alleged breaches took place between January and May of this year, something Purdy has trouble understanding.
“I don’t like that at all. They clearly said in their statement they do monthly checks for random and targeted occurrences and mine and the other 55 people would have been a targeted incident. So why did they let this person go for five months?”
He did receive a call from the hospital’s director of health information and privacy officer, Libby General.
“According to their servers, nothing was downloaded but she couldn’t guarantee me the person didn’t use a phone to take pictures.”
Purdy added he did approach the Woodstock Police Service to see if there is potentially a criminal aspect to the incident but unless the hospital initiates an investigation, nothing will be done. He said as far as he knows that has not occurred.
“When I talked to the police (earlier this week) they told me they were surprised no one from the hospital reached out to them. That’s exactly what they told me. I told them there were 56 of us and they thought that was strange (the hospital) wouldn’t reach out to police.”
He explained he has been a regular user of the emergency room at the hospital over the last 24 months due to anxiety, depression and panic attacks.
“When I got COVID I got heart palpitations and ever since then when I get them, I go to the ER to make sure I’m not having a heart attack. Is it ok to do that now? Is there a relation between the other 55 people? Were they looking up people who had the most visits, or were they looking at people suffering from mental health issues? Is there some kind of similarity between the 56 of us?”
Purdy added he is contacting a lawyer who deals with privacy breaches to see where it goes and said General assured him the person who accessed his information was not a member of the ER team.
“She said the person who checked my file wasn’t in the department. She was on a different floor.”
He added he was offered the name of the former employee but expressed concern for her privacy. The last time Purdy went to the ER in Woodstock he was told by medical staff that any time his record is accessed a card needs to be used which keeps a record of who is looking at his information.
“That’s what I am trying to get at. If they knew this person was doing this over the course of five months, why did it take so long to finally do something? Even the doctor and crisis worker told me the second they pull up my file it shows who is looking at it. The are allowed to because I am in their care.”
He said General told him most of the people targeted were ER patients. Purdy said he asked why the hospital wouldn’t have noticed the activity since the now former employee wasn’t in that department.
“She said she didn’t know what happened. She didn’t know why it was missed.”
The Echo was able to obtain the letter sent to Purdy by General. It said, “The employee was not involved in your care and had no work-related reason to be looking at your personal health information.” It added that anything outside that is considered inappropriate and is contrary to the hospital’s privacy policy.
Another concern for Purdy is if his health card number has been compromised.
“I don’t know if my number is out there somewhere. People sell them on the black market to maybe an immigrant wanting to come over here who doesn’t have health care. What if my number gets flagged and my health care gets suspended pending an investigation?”
Purdy said he’d like to talk to the other 55 people affected.
“There is strength in numbers.”
The Echo reached out to Chelsea Fagan, the hospital’s communications and public relations officer, and Perry Lang, president and CEO, and asked several questions including if police would be contacted. The reply was brief.
“Thank you for your inquiry. At this time, we do not have any additional comments beyond what has been shared on our official channels.” The hospital did not send out a news release but put the statement on their social media channels only.
Patrice Hilderley is chair of the hospital board and provided a statement.
“The Woodstock Hospital Board of Trust is aware of the recent privacy incident. The hospital has taken all necessary steps to address the situation, and the investigation is now being handled by the Information and Privacy Commissioner’s Office. As a result, we are unable to provide any further comments at this time.”
While Ontario’s Information and Privacy Commissioner couldn’t comment on the Woodstock Hospital case directly, Patricia Kosseim did provide a written statement.
“Woodstock Hospital notified our office about this incident on July 15. Given that our investigation is ongoing, we cannot provide additional details at this time. We cannot speculate on the length of our investigation but would be pleased to follow up with you when there are further developments.”
She added the probe will examine the hospital’s processes.
“When we investigate a privacy breach, we look to establish whether the breach has been contained, whether the appropriate people have been notified, and whether corrective action has been taken to address the underlying causes of the breach and reasonable safeguards have been put in place to prevent future breaches.”
Kosseim added unauthorized access to personal health information, or snooping, erodes patients’ trust and confidence in the health care system.
“Whether motivated by mischief, personal gain, or sheer curiosity, snooping is unacceptable and can have devastating consequences for patients and health care professionals. All health care providers in Ontario must have the necessary safeguards in place to detect, prevent, and reduce the risk of unauthorized access to personal health information.”
The maximum administrative penalty for breaking privacy laws in Ontario is $50,000 for individuals and $500,000 for organizations.
“Our office takes a proportionate approach depending on the severity of the contravention and will consider a number of factors in determining the appropriate amount of penalty to impose in a given case.”
Kosseim added if a person’s actions or inactions are serious enough to amount to an offence under the act, they could be subject to prosecution and fines of up to $200,000 for individuals and $1 million for corporations, and possible imprisonment.
Comments