Lakeridge Health has repeatedly failed to secure patient medical records from unauthorized access, and at times, allowed these issues to persist even after claiming they were being addressed, according to an investigation by Ontario’s privacy commissioner.
A thorough review of the Durham Region hospital network was initiated following several breaches between 2023 and 2025 caused by various hospital staff members, noted commission adjudicator Jennifer Olijnyk in her decision.
“These hospital agents all accessed patients’ personal health information without authority, breaching the Personal Health Information Protection Act. The breaches all involved different circumstances, including the number of patients affected,” she wrote.
The privacy commission had previously looked into a series of breaches at the hospital from 2020 to 2021 but indicated that appropriate actions were taken then.
However, unauthorized access continued, prompting Olijnyk’s decision for a systemic review by the commission.
requested comment from Lakeridge Health.
“These files all involved apparent delays in containing the breach by delaying removing electronic health record access from those suspected of the breach and/or delaying providing notice of the breach to the affected parties,” she said. “These apparent delays raised systemic concerns that the hospital may not be complying with its obligations.”
Source link
Hundreds of patient files accessed: report
In one instance, Olijnyk mentioned a physician who faced suspension twice due to multiple audits revealing she had accessed patient files improperly. The report highlights that up to 326 patients had their information accessed during one breach, with some patients not being notified until as long as ten months after it was reported. Another case showed that a resident expressed concern that her neighbor, a hospital employee, was accessing medical records for her and her family. An audit revealed another worker had accessed multiple records while serving as a clinical extern. During discussions with this worker, it became clear she hadn’t received adequate privacy training because of how quickly she was hired; however, such training is usually provided even for urgent hires. “The hospital notified the information and privacy commissioner and the affected patients three weeks after it concluded its investigation, approximately five months after the concern was first reported,” states the report. A third breach led to an audit being conducted after a hospital-wide announcement about a staff member’s death due to fears of “snooping.” It discovered that a unit clerk had accessed both their EHR and other records. She resigned before any action could be taken against her by the hospital, according to notes in the report. After her resignation, an affected patient’s son reached out to express concerns that his records might have also been viewed by this clerk since he believed she was his ex-wife. “The hospital found that the unit clerk had accessed his personal health information twice in April 2023,”after confirming their relationship.Hospital ordered to amend privacy policies
The adjudicator pointed out that Lakeridge Health did not remove access to EHRs at any point during investigations which allowed continued unauthorized access in “some cases.” Olijnyk instructed Lakeridge Health on several necessary changes regarding its privacy policies. This included requiring them to make decisions about temporarily revoking access immediately when investigations start.This means setting clear guidelines for removing EHR access while providing specific timelines for investigations along with definite actions they will take while notifying patients if their data gets compromised at “the first reasonable opportunity,” even if investigations are still ongoing./em/em/em/em/em/em/em>Source link
