A public hospital’s privacy measures are under scrutiny following a radiologist’s unauthorized access to patient health records, including those of his sister-in-law and her family, as revealed in a decision by the Information and Privacy Commissioner of Ontario (IPC).
The breach came to light when the radiologist’s sister-in-law, identified as S.L., filed a complaint with another local hospital where the radiologist also had privileges. An investigation conducted by the hospital, the local hospital, and the regional privacy team uncovered that between 2015 and 2021, the radiologist accessed health records of S.L., her husband, their daughter, and 17 other patients without authorization. The radiologist admitted he viewed the records “out of curiosity.”
The unauthorized access included sensitive personal health information (PHI) such as names, addresses, phone numbers, dates of birth, health card numbers, family physicians, visit histories, reasons for visits, exam imaging, and medical reports. The radiologist used the regionally shared electronic health record (EHR) systems, specifically Cerner/Power Chart (Cerner) and General Electric (GE) Picture Archiving and Communication System (PACS), to access this information.
The IPC’s investigation focused on whether the hospital took “reasonable steps to protect personal health information” as required by section 12(1) of the Personal Health Information Protection Act (PHIPA). The IPC found that the hospital’s EHR systems “had inherent limitations and, generally, did not display a privacy notice or warning flag.” Moreover, the systems were “not built from a privacy audit perspective,” making it challenging to detect unauthorized access proactively.
Despite the hospital’s actions to investigate, contain, and remediate the breach — including notifying affected individuals, disciplining the radiologist, and reporting him to the College of Physicians and Surgeons of Ontario — the IPC expressed concerns about the hospital’s ability to detect and deter such breaches. The IPC stated, “At the time of the breach, the hospital’s ability to proactively detect unauthorized access to PHI in Cerner and the PACSs through audits was limited due to inherent system limitations.”
Hospital’s response and remedial actions
Upon learning of the breach, the hospital took immediate steps to address the situation. They implemented a “Denial of Access” in August 2021 to prevent the radiologist from accessing S.L.’s health records in Cerner. The hospital also began daily audits of the radiologist’s access to patient health records and developed an interim process requiring him to self-report the tasks he performed each shift within Cerner to his department chief.
The hospital notified all affected individuals, providing them with details about the breach, including the radiologist’s name, a description of the unauthorized access, and the specific information accessed. The notification letters included a statement informing them of their right to file a privacy complaint with the IPC.
Additionally, the hospital sent an apology letter from the radiologist to the affected individuals. In the letter, the radiologist acknowledged his unauthorized access and assured them that he did not disclose their information to any third parties and would not engage in such actions again.
The hospital reviewed its privacy policies and procedures and enhanced its physician credentialing process to include more comprehensive privacy and PHIPA education. They also informed their staff about the disciplinary actions taken against the radiologist to serve as a cautionary tale and deter future unauthorized access.
Limitations in auditing and monitoring systems
One of the key issues highlighted by the IPC was the hospital’s limited ability to audit and monitor access to PHI in their EHR systems. The hospital admitted that Cerner and the PACSs “were not constructed from a privacy audit perspective” and that auditing them is “both challenging and time-consuming.”
The hospital relied on external entities—the regional privacy team and the Ontario Clinical Imaging Network (OCINet) — for auditing and monitoring, which is not unique as “other regional hospitals that share health records in Cerner and the PACSs have the same reliance.”
Cerner, for instance, has 219 different types of audits available, but all audits must be manually initiated, and the data manually sorted. The hospital stated, “If a patient does not raise a specific privacy concern, the ‘red flags’ that would identify a potential inappropriate access could easily be missed.”
Furthermore, the GE PACS, a legacy system no longer supported, lacked auditing tools to capture name searches conducted by users, which allowed the radiologist to access PHI undetected over several years.
Implementation of privacy warning flags
In response to the breach, the hospital implemented privacy warning flags in their EHR systems. By December 2023, a non-bypassable warning in Cerner reminded users that “your access of patient data in the EHR is monitored. Unauthorized use, collection or disclosure of patient data is a serious breach that may result in disciplinary action and/or other serious consequences.”
A similar warning was added to the AGFA PACS used by radiologists, stating that accessing PHI confirms “you will only collect, use or disclose PHI for the provision of healthcare and/or support of the provision of healthcare in accordance with your organization’s privacy policies.”
IPC’s conclusion
Despite acknowledging the hospital’s remedial actions, the IPC concluded that at the time of the breach, the hospital did not meet the requirements of section 12(1) of PHIPA. The IPC stated, “I do not find that the hospital had reasonable measures in place at the time of the breach to ensure that the affected individuals’ information was protected against unauthorized use.”
However, given the hospital’s subsequent actions to address the deficiencies, the IPC decided that “a formal review of this matter under Part VI of PHIPA is not warranted.”
For more information, see Complaint HR22-00017, 2024 CanLII 111491 (ON IPC).
