Campbellford Memorial Hospital says an employee has apologized for making “unauthorized” access to more than 3,500 patients records.
Global News Peterborough has obtained a copy of one of the 3,500 letters sent to patients last week outlining a privacy breach at the hospital in the Municipality of Trent Hills.
In the letter, hospital chief privacy officer Erin Keogh says a clinician “mistakenly” thought they could access health records of patients not under their care for the purposes of their own clinical education.
2 staff fired for patient privacy breaches at Campbellford Memorial Hospital
Citing privacy and family concerns, Global News will not identity a mother who received a letter stating her son’s health records had been accessed. Before opening the letter, she thought the hospital was soliciting donations for its proposed Campus of Care.
“When I first read the letter, I guess I was just disappointed,” she said. “In 2023 it’s pretty sad that privacy isn’t respected.”
Hospital president and CEO Jeff Hohenkerk says the unauthorized access was discovered during a routine review. An investigation determined the incident occurred “several months ago” and only involved a single clinician not known to any of the patients impacted.
“I want to stress unauthorized is internal — there was no targeted or malicious intent or hacking — it was an internal view of records,” Hohenkerk told Global News Peterborough on Friday.
Hohenkerk says the investigation also determined the clinician did not specifically target the records of patients or shared the information with anyone else.
“We ensured there was no breach from outside and at the same time made sure that no information was accessed by anyone outside the organization,” he said.
“It’s not a security breach — it’s a privacy breach. There was no downloading or sharing with anyone else. It wasn’t targeted or (a) malcontent. It was for their own clinical education purposes and they didn’t realize it was a form of access that was strictly prohibited.”
But the mother says she doesn’t “buy” the hospital’s explanation when Global News informed that her son is among 3,500 patients impacted.
“It wasn’t following up on a case and they lifted the wrong patient file that has the same first and last name or a different birthday,” she said. “It’s a case of someone who willingly disregarded people’s privacy — and the hospital’s policy — and still did it anyway.”
- B.C. to ban drug use in all public places in major overhaul of decriminalization
- 3 women diagnosed with HIV after ‘vampire facials’ at unlicensed U.S. spa
- Solar eclipse eye damage: More than 160 cases reported in Ontario, Quebec
- ‘Super lice’ are becoming more resistant to chemical shampoos. What to use instead
“I think that’s probably a safe way that someone is covering their ass,” she added. “I don’t buy it.”
The hospital also notified the Information and Privacy Commissioner of Ontario (IPC) of the incident. In an email to Global News, the IPC says it was notified of the incident on April 14, but can’t provide any further details given the file is currently open on the matter.
Around 360K people in Ontario affected by COVAXon privacy breach
“Snooping is a serious issue that can erode patients’ trust and confidence in the health care system,” the office stated. “Health-care professionals need to know that any kind of snooping behaviour, whether motivated by curiosity, personal gain, or even concern, is completely unacceptable and can have devastating consequences for the individuals who are affected and themselves.”
A year ago, two employees were fired after “inappropriately” accessing information pertaining to approximately 500 patients at CMH. The hospital never provided details on their roles or what patient data was accessed.
However, Hohenkerk says the current case is being “dealt with differently” compared to the 2022 incident. Hohenkerk began his role at the hospital in March 2023.
The clinician has apologized and is undergoing further training and will be subject to “enhanced” monitoring, Keogh’s letter states.
“We’ve been directed (by the IPC) to notify patients by letter which we have done,” said Hohenkerk. “We’ve been directed to ensure the clinician undergoes additional training, which we have. And we also have to go through a process to ensure it wasn’t targeted — (that) it was internal and there was no malcontent.
“We followed the process and confirmed our findings.”
The mother impacted says there’s no difference in how or why the health records were accessed.
“Privacy is privacy — it doesn’t matter,” she said.
And she says the hospital has lost her future support.
“If you think I’m going to hand over my credit card to make a donation to the hospital now and do the same thing with it? Not a chance.”
— With files from Sam Houpt/Global News Peterborough
Comments