Frank Klees

Frankly Speaking

Article by Frank Klees, MPP
As published In the Auroran
July 30, 2012

Think Your Medical Records Are Safe ?

A letter arrives in the mail. It's from your doctor. While opening the envelope, you wonder what this could be about. It's not often that you get a letter from him. A phone call maybe, to remind you of an appointment but you can't remember ever getting a letter....... And then you read this:

" Dear Patient, I write to inform you that in mid-April 2012, we discovered that a hard drive that was used in our office to store certain medical records was stolen. We believe that the hard drive that was stolen contained some of your personal health information."

The letter goes on to explain that while "almost" all of the electronic records containing personal health information stored in the doctor's office are encrypted and password-protected, the hard drive that was stolen was neither encrypted nor password-protected.

You can't believe your eyes as you read on ......

" The documents contained on the hard drive may have included personal health information such as your name, address, date of birth and medical information."

" We apologize for this unfortunate incident and can advise you that we are doing our utmost to ensure, to the extent possible, that future privacy breaches are avoided."

Can't happen you say. Well, it shouldn't happen, but it did. The preceding are direct quotes from a letter that was brought to me by a constituent this past week. Not only was she distraught that confidential medical information was now in some stranger's hands, but she was equally frustrated with how this breach of confidential medical information was being handled. I don't blame her.

First, the letter states explicitly that the theft of the records was discovered in mid-April of this year. The letter advising the patient of the breach was dated July 9, 2012 and was date stamped by Canada Post on July 12th.

Why did it take three months for the doctor to advise his patients that their medical records had been stolen ?

We hear enough stories involving identity theft to know that serious harm can be done with even the most basic of personal information, let alone sensitive medical files. While the letter expressed regrets and gave assurances that steps had been taken to prevent any future privacy breaches, there is no justifiable reason for the fact that it took three months to alert patients.

Clearly, this is a breach of the Personal Health Information Act. That legislation, passed in 2004, prescribes that any person or organization who has control of personal health information records must take steps to ensure that those records are protected against theft, loss or unauthorized use. The legislation also requires that if a theft or loss occurs, the patient must be notified "at the first reasonable opportunity". In this case, the doctor failed to comply with both of these legislated requirements.

I have asked the College of Physicians and Surgeons of Ontario to investigate.

I also contacted the office of the Information and Privacy Commissioner to determine if the doctor had reported this breach to the Commissioner. I was told that there were no records of this breach being reported.

I asked the Privacy Commissioner to investigate to determine how this breach came about, why the doctor failed to report the breach and to take the steps necessary to ensure that all health information custodians are reminded of their responsibilities to ensure the security of patient records.


I raise this issue, not to point fingers at the medical practitioner involved in this case, although he must and will be held accountable for failing to protect his patients' health records. But more important, to raise awareness of how vulnerable our information systems are to privacy breaches.

This is the third incident of information systems containing sensitive personal information being breached within the past few weeks. On July 16, Elections Ontario announced that two USB keys carrying copies of voter information for as many as 25 electoral districts (including Newmarket-Aurora) were lost or stolen. On June 6th, all 72 of the ServiceOntario kiosks were shut down because of a security breach. Those kiosks contain highly sensitive information including drivers licence, credit and debit card numbers. They're still down today.

The next time you're seeing your doctor, you may just want to ask how safe your medical records are.

As always, I welcome your comments or advice. Feel free to call me at 905 750 0019 or contact me through my website at