Scarborough hospital Rouge Valley Centenary has contacted Toronto police after a privacy breach that allegedly saw two employees sell the personal information of over 8,000 patients.
The hospital says two employees sold the personal information of expecting mothers to private companies selling Registered Education Savings Plans, or RESPs.
Upon discovering the breach, the hospital alerted both the Ontario Privacy Commissioner and Ontario Securities Commission, which are investigating the incident.
Rouge Valley spokesperson David Brazeau confirmed Wednesday afternoon that after seeking legal counsel, the hospital has also contacted Toronto Police regarding the breach.
Toronto Police had no information to provide on the case at the time of writing.
It was a completely inappropriate interaction that completely went against our policies
The information sold included names, phone numbers, and addresses of the patients, who were later contacted by companies trying to sell them RESPs.
“It was a completely inappropriate interaction that completely went against our policies,” said Brazeau. “We are taking this very seriously.”
“Our patients placed their trust in us, and we sincerely apologize that this happened.”
The hospital has done its own internal investigation and audit, and has sent out letters to patients who may have had their information sold.
The two employees involved in the breach have been fired from the hospital, and are currently under investigation by the Securities Commission.
The first incident in October 2013, in which 7600 patients had their information sold, was brought to the attention of hospital management by a Rouge Valley employee.
This unfortunate activity was reported to my office and we have started an investigation into the incident
The second incident in March 2014, which affected 699 patients, was discovered after suspicious documents were left in a hospital printer.
“This unfortunate activity was reported to my office and we have started an investigation into the incident,” said Ontario Privacy Commissioner Ann Cavoukian in a statement Wednesday. “The hospital has followed our recommendations on what to do after such an incident occurs and we will continue working with them to see what preventative measures can be undertaken.
“My office will review the hospital’s policies and procedures to ensure that it is complying with all of its responsibilities under the Personal Health Information Protection Act.”
National Post