The office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) against a medical clinic (the Clinic). The complaint involved a second incident in which a physician working at the Clinic left a patient alone in a waiting room that had a computer screen displaying the physician’s schedule, which contained personal health information of 35 patients.
This decision finds that the Clinic failed to take reasonable steps to ensure the protection of the personal health information against unauthorized disclosure as required by section 12(1) of the Act. I also find that the Clinic did not notify the affected patients as is required by section 12(2) of the Act. However, in light of the steps taken by the Clinic to address the privacy breach, which included notifying the affected patients, I am satisfied with the Clinic’s response to the breach and it is unnecessary for this matter to proceed to adjudication to consider potential orders.