Lakeridge Health Data Breach (2004)

Lakeridge Health has notified 578 people this week that their hospital records were inappropriately accessed. Hospital officials say 14 staff members who provide mental health services have been disciplined over the privacy breach, which occurred during a 10-year period between December 2004 and summer 2014. Were letting the community know, were advising patients -- those who have had their records accessed -- that its formally a privacy breach, said Kevin Empey, the hospitals president and CEO. We have engaged the Privacy Commissioner of Ontario to make sure were following their protocol on how we communicate with patients and manage the issue. The breach was flagged by auditing software that monitors access to patient records. Mr. Empey said that only staff who are in a patients circle of care -- directly involved in their treatment -- should be looking at electronic health records. The 14 staff members had been accessing information about previous patients as well as patients family members. What we have concluded is this was curiosity or concern about people that had been patients of theirs before, said Mr. Empey. He said the information was not sold or released outside of the hospital, as was the case at Rouge Valley Health Systems where a former clerk was recently charged with selling information of about 8,300 patients to financial companies. To (the 14 Lakeridge staff involved) it was an innocent check; maybe someone was in a different department before and they went are they OK?, said Mr. Empey. Staff rationalized it as its just my eyes ... its not like the Rouge scenario where Im selling something. Hospital officials are attempting to contact every patient whose records were inappropriately accessed and Mr. Empey said about 20 have contacted the hospital with follow-up questions. What weve done is weve written a letter to all of the patients, were following up with phone calls, some of them are proving hard to locate. Though he said 14 staff members were disciplined, Mr. Empey did not specify what form the discipline took, saying that in some cases it was minor and in some cases it was major. Lakeridge staff sign a code of conduct when theyre hired that includes provisions on patient privacy and as a result of the incident Mr. Empey said staff will be asked to sign the code of every year as a reminder of their responsibilities. Further, as president and CEO he will be raising the issue of privacy with staff. Its very upsetting, Im not at all happy about this and its made me realize I havent been talking about privacy, its just expected thats how we should behave, he said. Mr. Empey said the hospital continues to improve the detection side and the auditing process for finding privacy breaches and said the auditing team has started contacting other hospitals to learn from them. There will also be some restrictions on what portion of patient records staff can access, but Mr. Empey said there are challenges to limiting access for hospital workers. We have to make sure we dont tie ourselves in knots and prevent health care from happening, he said. However, he doesnt believe a solution will come through software. The fundamental control is not the computer program, its the awareness and the staff understanding their responsibility to treat the information very carefully. As to whether he expects a lawsuit as a result of the privacy breach, Mr. Empey said he doesnt know, but he said theres no evidence the information has been used for any purpose that would harm anyone. Mr. Empey points out that 578 may be a large number but across Durham, Lakeridge serves 250,000 to 300,000 patients per year. This is a problem and were working on it but this isnt as if all patients had a problem at Lakeridge Health.