The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, April 09, 2005
A medical lab in Windsor, Ontario was broken into on January 1, 2005 and the thieves made off with a computer containing personal health information. The lab only issued a notice this week after they incorrectly assumed they needed the OK from the Information and Privacy Commissioner of Ontario. (In fact, the new Ontario Personal Health Information Protection Act requires that such disclosures be reported to affected patients.) The lab says they informed the IPC right away, a fact that the IPC's office disputes.
From Canada.com:
Fort St. John - canada.com network:"Patients kept in dark over theft of lab files: Information taken during break and enter in Windsor
Doug Schmidt
Windsor StarApril 9, 2005
Ontario's Ministry of Health wants to know why it took more than three months for a Windsor medical lab to begin reporting the theft of personal and medical information to affected patients and their doctors.
"Eventually, the ministry would want some kind of justification for the delay," ministry spokesman John Leatherby said. "Those who are affected need to be in the know."
Friday, Medical Laboratories of Windsor Ltd. (MLW) issued a news release reporting a computer containing patients' names, addresses, health card numbers and health information was stolen from its 1428 Ouellette Ave. office Jan. 1.
Windsor police have been investigating the theft but report no success.
"As soon as we discovered the theft, we contacted authorities," company spokeswoman Jennifer Yee said.
As required by law, the company notified Ontario's Office of the Information and Privacy Commissioner, but spokesman Bob Spence said Friday it wasn't until early March -- two months after the B&E -- that it was made aware of the theft. He said the privacy commissioner has also launched an investigation into the theft.
According to police, one or more suspects broke into the front door of the Ouellette Avenue office building that night and then smashed through MLW's medical office door on the third floor, leaving with a computer, flat-screen television, a computer monitor and petty cash.
The missing computer was used to collect and transmit ECG information from patient tests to family physicians and cardiologists, Yee said.
She said she "wouldn't want to speculate" on the number of patients affected by the theft, but added more than 100 doctors in the Windsor-Essex area were sent letters Thursday advising them of the theft.
"We sincerely regret this situation," Yee said.
Staff Sgt. Ed McNorton said Windsor police believe the suspects targeted the computer for its hardware value and not the personal and private medical information it contained.
Nevertheless, said the ministry's Leatherby: "Those individuals who have had their personal information stolen -- they should be next to the first persons to be advised."
Asked why MLW, which has operated locally the past 43 years, waited three months to alert doctors, patients and the public to the possible theft of personal data, Yee said it was only Thursday that the company received the required approval from the privacy commissioner's office.
NOT NEEDED
But commissioner spokesman Spence told The Star Friday there is no need for such approval.
"We do not tell organizations not to advise people -- or announce to the public -- that information may have been lost," he said.
Though there are four other MLW offices across the county, Yee said, only the ECG test results and patient information of those attending the Ouellette Avenue office were affected.
The private company said it launched its own internal investigation and is also working with the Ontario Ministry of Health and Long-Term Care on the case.
"We have ... taken a number of steps to ensure MLW's security and data protection measures meet or exceed current health industry standards," company president Dr. George Yee said in Friday's news release.
The Health Ministry will wait until the conclusion of the police investigation before launching a probe into the reporting delay, Leatherby said.
Any patients requiring additional information are asked to call MLW at 258-1991."
Labels: health information, information breaches, ontario, phipa
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.