[BreachExchange] CHEO employee shared 283 patient records with students

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 22 16:29:39 EDT 2017


http://www.canhealth.com/blog/cheo-employee-shared-283-patient-records-with-students/

A part-time instructor at Algonquin College, who was also an employee of
the Children’s Hospital of Eastern Ontario (CHEO), shared the private
information of 283 patients with students. The breach of privacy prompted
the person’s dismissal from the college and launched a privacy
investigation at the hospital.

The Ottawa Citizen newspaper reported that on March 10, Adam Vaughan
received a letter in the mail about his seven-year-old daughter, who had
been at the children’s hospital for a procedure earlier this year. The
letter informed him that his daughter’s private information had been shared
with Algonquin students by their instructor, also a CHEO employee.

Vaughan was upset by the breach. He told the Citizen, “The fact that
somebody would take my daughter’s personal information and feel that it’s
alright to take it outside of the workplace where it’s supposed to be
secured and then transfer it to a bunch of students, with no disclosure to
me? I would have never ever expected this.”

The letter was sent by the hospital’s chief privacy officer Roxanne
Riendeau.

“At CHEO, privacy is of the utmost importance. Patients and their families
need to feel they can safely share personal information with their
healthcare providers so you receive optimal care. This is our top priority,
and when we don’t meet our own high standards, we need to tell you why and
what we’re doing about it,” Riendeau wrote.

CHEO confirmed that it informed nearly 300 patients and their parents that
their medical information had been “briefly shared with 32 students
enrolled in Algonquin College’s Faculty of Health, Policy & Public Safety
and Community Studies.”

The instructor, a CHEO employee, disclosed the medical information on
handouts distributed during classes on Feb. 1 and 2. The handouts listed an
operating room schedule “meant as teaching resources during class time.”

The handouts were distributed “to teach future health professionals how to
support surgeries in a hospital setting.” They revealed patients’ names,
dates of birth, their CHEO medical registration number, their surgical
procedure, their allergies, gender, age and any other pertinent information
related to the surgery they were scheduled to receive at the hospital, CHEO
said.

“The lists did not have: patient addresses, OHIP numbers, nor any chart
notes beyond what is listed above,” the statement continued.

Algonquin informed CHEO of the privacy breaches on Feb. 17.

Riendeau told patients and their parents that CHEO believes the information
“may have been seen by up to eight students before it was returned to the
teacher, less than an hour after it was handed out.

“We have confirmed that all copies were returned to the instructor and have
now been recovered by CHEO.”

Riendeau also told patients and parents that the students who saw the
private information have been contacted and “have been reminded of the
information’s confidential nature, and those interviewed by Algonquin
College have confirmed that the information did not leave the classroom.”

CHEO said both it and the college did not permit the use of their medical
information.

“Both organizations share a commitment to the protection of confidential
information in their custody. We take this situation very seriously.”

CHEO said a “disciplinary process is underway” and that the hospital “will
incorporate the learnings from this breach into future mandatory privacy
training courses.”

CHEO apologized to patients and parents. “This should not have happened,”
Riendeau wrote.

Both institutions have also notified the Office of the Information and
Privacy Commissioner of Ontario.

CHEO did not answer questions about what the employee’s specific role is at
CHEO and what sanctions the employee will face.

Algonquin, for its part, said the college “will have no comment on this
issue, other than to inform you that the instructor in question is no
longer at the College.”

Vaughan has contacted a lawyer to seek legal advice and has been told that
others have also received similar letters from the hospital.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170322/adde96f3/attachment.html>


More information about the BreachExchange mailing list