Fourteen staff members in the mental health program at Lakeridge Health in Oshawa inappropriately accessed more than 500 patients’ files — including mental health patients and the staffers’ own family members — over a period of 10 years, the hospital has revealed.
Lakeridge president and CEO Kevin Empey told the Toronto Star the hospital’s electronic audit system detected an inappropriate access to one patient’s file in June of this year. That prompted staff across a number of departments to conduct a manual review, which showed that 578 patients had had their files accessed by the 14 staff members going back to 2004.
Some of the files were for patients in the mental health program, some were files belonging to relatives of patients in the mental health program, and others were the files of the staffers’ own family members, the hospital said. The investigation, in which the hospital collaborated with the provincial Information and Privacy Commissioner, concluded last month. Letters went out to affected patients on Nov. 24.
The hospital says there is no evidence patient information made it out of the hospital. Empey said the 14 employees were disciplined, but would not say how nor specify their positions. He said they had accessed the files out of simple curiosity or concern for particular patients.
“I take this seriously. I’m extremely unhappy and disappointed in my team,” he said. “I’m apologizing that this has happened.”
He said neither the hospital nor the privacy commissioner determined that the police should be notified. A representative of the Canadian Union of Public Employees said the union had no comment “at this time.”
In a statement, Acting Commissioner Brian Beamish said that his office opened a file last August after being contacted by Lakeridge, saying “Lakeridge Health did take steps to advise us of the measures it had or would be taking to minimize or reduce the risk of a similar incident in future, and in these circumstances we were satisfied with their actions.”
The privacy breach at Lakeridge is the latest in a string of similar incidents at hospitals around the GTA. Last month, former clerk Shaida Bandali was charged by the Ontario Securities Commission with selling securities without a licence for allegedly providing medical records of new mothers at Rouge Valley Centenary Hospital in Scarborough to financial companies, such as those selling Registered Education Savings Plans.
The privacy commissioner launched an investigation after the 2009-2013 breach at Rouge Valley Centenary was revealed by the Star last June. The office is expected to deliver a final report this month.
News of the breach at Lakeridge comes as the Ontario Court of Appeal is set to hear arguments on whether patients can sue hospitals for invasion of privacy. The hearing on Dec. 15 stems from a class-action lawsuit launched by patients whose files were wrongfully accessed in 2011 and 2012 at Peterborough Regional Health Centre.
“My experience has been that these are very unsettling intrusions into patients’ personal lives,” said Michael Crystal, one of the lawyers for the Peterborough patients. He said he was “very concerned” with the Lakeridge Health breach given that it took place over such a long period.
“How could this have happened for so long without detection?” he said.
Empey said the hospital’s computer system has evolved as more records become electronic, and the hospital is working to “refine” its audit program to see “if we might detect issues that the last audit didn’t.”
He said the computer program monitors access, and said the one access in June “tripped those protocols, but other accesses hadn’t, so they had to do a manual review, and going in to see who had made the access.”
Empey said the only people who should see files are those in the patient’s “circle of care,” such as doctors and nurses who are directly treating the patient and would need to see a medical history to make a proper diagnosis.
Sometimes it’s a “judgment call” as to whether a person who looked into a file was part of the patient’s circle of care. “You have to take the time to investigate and take the time to do that assessment,” he said.
Empey said he is communicating with staff about when they can access hospital files, and will require all staff to sign a code of conduct every year to remind them of their responsibilities. They are currently required to do so only at the time of hiring.
Toronto lawyer Elyse Sunshine, who advises health professionals and clinics on privacy issues, said these breaches demonstrate that better training is needed.
“These investigations into breaches are time-consuming and cost money, so it’s better to do it at the front end and train people, so as to avoid having to spend money at the back end to clean up the problems,” she said.
- With files from Joel Eastwood and Marco Chown Oved.