The Privacy Commissioner of Ontario as well as the Ontario Securities Commission (OSC) are investigating after a massive privacy breach targeting mothers of newborns took place at Rouge Valley Centenary hospital.
As many as 8,300 patients saw their names, addresses and phone numbers turned over to private companies selling registered education savings plans by two staff members at Rouge Valley Centenary hospital, according to David Brazeau, hospital spokesman.
Neither of the staff members works for Rouge Valley Health System any longer, Mr. Brazeau added.
While the breach only affected patients at Centenary, anyone living in Durham Region could have been affected if they had a child at that hospital.
One such person is Theeban Nanthakumar ,of Oshawa, whose wife gave birth to three daughters between 2010 and 2013 at Centenary.
Mr. Nanthakumar said he continues to receive calls from the companies and has saved the numbers on his cellphone contact list so he knows not to answer when the phone rings.
“They say, ‘Do you have children? Do you want an RESP?’” Mr. Nanthakumar said.
The hospital sent letters to patients explaining the privacy breach.
“We’ve apologized and informed as many patients as we could,” Mr. Brazeau said. “It’s something that should not have occurred.”
Rouge Valley management learned of the privacy breach in October 2013, when one of the employees involved in the scheme voluntarily came clean, Mr. Brazeau noted.
Three months later, the hospital realized there was a second leak after someone noticed patient records left on a printer, sparking a second investigation. The hospital uncovered a second employee involved in March 2014.
The Office of the Information and Privacy Commissioner and the Ontario Securities Commission are both investigating the affair.
Privacy commissioner Ann Cavoukian said in a statement the hospital had followed her office’s recommendations on what to do after such an incident.
Agencies/Canadajournal