Statement from Brian Beamish, Acting Commissioner on the Rouge Valley Health System Privacy Breach

Our investigation into the incidents involving two staff members at Rouge Valley Health System misusing and disclosing patient information for the purposes of selling Registered Education Savings Plans is ongoing. We have met with senior hospital staff and we continue to gather information about these incidents.

The Rouge Valley Health System (RVHS) has two hospital facilities - Rouge Valley Centenary Hospital and Rouge Valley Ajax and Pickering. The two hospitals share an electronic information system to which the two employees who have been identified as responsible for the breach had access. Initially, the hospital reported that the employees had used and/or disclosed information relating to patients at the Centenary site, only. However, we have learned that the two employees may have also used and/or disclosed the personal health information of patients who had given birth at the Ajax and Pickering site.

As a consequence, the RVHS has decided to notify any patients who gave birth to a child at the Rouge Valley Ajax and Pickering site in the period from July 2009 to April 2014 as they may have been affected by the privacy breach. The number of potentially affected patients from the Ajax and Pickering site who will receive letters of notification totals 6,150.

We are reviewing the hospital’s policies and procedures and information systems to ensure that it is complying with all of its responsibilities under the Personal Health Information Protection Act (PHIPA). We are continuing to look at the steps taken to ensure that this does not occur again in the future.

We also have received a number of calls from members of the public and read reports in the media of the possibility that this may be occurring in other hospitals in Ontario. No others are under investigation as of yet, however, we have reached out to the hospitals mentioned by callers and in the media as part of our investigation and we will be looking into the possibility that this may be occurring in these other hospitals. We will also be following up with individuals who contact us to complain about the possibility that their information might have been inappropriately used or disclosed.

At the present time, we have no evidence to suggest that the employees involved in this incident at the Rouge Valley Health System had access to records relating to patients of other hospitals under a shared electronic health record.  However, in our investigation we are also looking into this possibility.

Our office plans to release the findings of this investigation in a report this fall.