TORONTO – Ontario’s privacy commissioner is investigating the possibility that multiple hospitals could be involved in a major patient privacy breach.
Two members of the medical staff at Rouge Valley Centenary hospital had been selling the names, addresses and phone numbers for thousands of new mothers.
The personal information was being shared with private companies looking to sell Registered Education Savings Plans (RESPs).
“It’s just baffling to me,” said Ann Cavoukian, Ontario’s Privacy Commissioner. “It’s the worse case scenario because your health information records shouldn’t be used for anything other than the delivery of health care service.”
An investigation looking at other potential health centres and more patients will take months.
“We’ve already received some calls about potential occurances in other hospitals,” said Cavoukian. “So, we’ll start with the hospital that has been implicated so far and start from the ground up.”
Satori Kamara gave birth to her son, Ethan, at Rouge Valley in January but had been receiving mysterious phone calls last year.
“Why (do) I keep on getting these calls from these people?” said Kamara. “I was a little bit confused because I had signed up for (an RESP) already.”
The breach was first discovered in October 2013 when the first hospital employee admitted to selling personal information.
The second staff member’s involvement wasn’t discovered until March 2014, when patient records had been left on a printer and discovered by someone else.
“This is a huge issue for us,” said David Brazeau, Rouge Valley Health Services spokesperson. “Quality care and privacy of our patients are of the utmost importance so, we’ve been treating this with all the gravity that we can.”
Toronto Police have been contacted to see if any charges can be laid.
“Sharing externally is of course against the rules, against policy, is not principled behaviour and was something that we dealt with immediately,” said Brazeau.
New measures have since been put in place to ensure anyone accessing patient records is identified.