Summary:

On May 16, 2018, the Hawkesbury and District General Hospital received a complaint, advising that a clerk within the Physiotherapy and Mental Health Departments had accessed the personal health information of patients without authorization. The Chief Privacy Officer of the hospital conducted a thorough investigation into the matter and determined that the employee had inappropriately accessed the information of 197 individuals.

The hospital reported this breach to the IPC on August 28, 2018. The IPC worked with the hospital to ensure that it took reasonable steps to notify the affected individuals, contain the breach, and prevent a future occurrence. Steps taken by the hospital to remedy the breach and prevent a future occurrence included:

  • staff education
  • privacy training
  • the initiation of disciplinary action against the employee (the employee resigned)
  • implementation, effective June 1, 2019, of a new Electronic Medical Record (EMR) platform that allows greater monitoring and auditing capabilities than its predecessor

The analyst decided that the remediation steps taken, and those committed to be taken by the hospital, were satisfactory and the file has been resolved.