New moms targeted in privacy breach at Rouge Valley Hospital

The Privacy Commissioner of Ontario as well as the Ontario Securities Commission (OSC) are investigating after a massive privacy breach targeting mothers of newborns took place at Rouge Valley Centenary hospital.

From July 2009 to August 2013, a staff member allegedly accessed patient files,belonging to new moms and women who were expecting, as part of scheme to sell them Registered Education Savings Plans.

“My office will be meeting with senior hospital staff next week to examine how this could have occurred,” commissioner Dr. Ann Cavoukian said in a statement. “It appeared to be an isolated incident when first reported it to us, but this is clearly not the case.”

The hospital was alerted to the problem last September but only this May sent 8,300 letters to patients notifying them of the breach.

The hospital said they were not trying to sell the moms anything but did issue an apology for the breach.

“We sincerely apologize to our patients and that’s the important thing to do,” Rouge Valley spokesperson David Brazeau said. “It’s highly inappropriate. Not what the hospital condones. In fact, it’s against everything we stand for.”

The mother who first told CityNews about the problem said just one week after giving birth at RVCH, she was contacted by a woman who tried to sell her an RESP. She said she didn’t think anything of it until the apology from the hospital arrived in the mail.

If the investigation conducted by the OSC finds that a breach of Ontario securities law has happened it will take action as warranted, according to spokesperson Carolyn Shaw-Rimmington.

The OSC can impose fines of up to $1 million, bans on future activities and reprimands on individuals and companies for violations of securities law or conduct that is contrary to the public interest.

Charges can also be laid by the OSC for violations of the Ontario Securities Act.

The hospital won’t say what position the staff member held only that the person has since been fired.

Brazeau said the hospital has since made sweeping changes — including limiting the number of staff that can access patient information.

“We’ve also let everyone know we are tracking, as a hospital, everyone who is accessing patient information,” he explained.

He added that the names of two former employees were turned over to police on Wednesday and it is up to authorities to take the next steps.

Ontario’s privacy commissioner Ann Cavoukian is also involved.

“I was dismayed to learn about the misuse of patient personal contact information of new parents from Rouge Valley hospital. This unfortunate activity was reported to my office and we have started an investigation into the incident,” a statement from Cavoukian said.

Since the story aired on CityNews Monday, parents with similar experiences at four other hospitals have came forward. New claims of security breaches came from patients at North York General hospital, Sunnybrook hospital, William Osler hospital and Credit Valley hospital.

Dr. Cavoukian said no other hospitals are currently under investigation but those mentioned will be contacted as part of the investigation.

None of the four hospitals would speak to CityNews about the claims made by the parents.

Brazeau said any mother concerned by the breach at Rouge Valley Centenary hospital should get in touch with the hospital’s patient relations office at 416-284-8131, ext. 4742.