​Dear Colleagues,

Yesterday's story in the Toronto Star summarized the issue of privacy incidents in some Toronto area hospitals including UHN.  The number of incidents at UHN – 258 – is correct and covers a time period of about 18 months.  Dr. Eric Hoskins, the Minister of Health and Long Term Care for the Province of Ontario says that one incident is one too many – and we agree with that assessment.

There are a number of ways that privacy can be breached and the list given to the Star was:

  • Inappropriate use of information within UHN (e.g. using patient information for research without ethics board approval and/or patient consent) 
  • Unauthorized disclosure of information outside of UHN (e.g. faxing patient information to the wrong care provider, using an unencrypted USB) 
  • Inaccuracy of information (e.g. discovering merged patient records or incorrect demographic information) 
  • Inappropriate access to information (e.g. looking at the medical records in the EPR without being on the care team of that patient, sharing computer ID's or passwords) 
  • Inappropriate collection of information (e.g. taking a picture of a patient without consent) 
  • Loss or theft of information (e.g. losing a patient list or realizing your laptop that has patient information stored on it when the computer has been stolen)


During the period of time covered by the Star's article, there were three incidents of individuals looking at patient care records who were not in the patient's circle of care.  This is a violation of patient privacy, UHN's principles around privacy and likely a violation of the professional code of contact for most health professions.  It is beyond unacceptable and can result in a number of disciplinary measures including termination of employment.  UHN conducts random audits of access to charts and should inappropriate access be discovered, we will not hesitate to take disciplinary action.   

We have done many things to help staff understand privacy, we've encrypted UHN devices so theft of devices cannot result in the loss of our patients' personal health information and we continue to train on the issue.  Everyone should be aware that the Office of the Privacy Commissioner also has the right to fine individuals and organization found to be negligent in this area.  The fines which can be imposed could be as much as $50,000. 

We know that most privacy incidents are the result of theft or human error.  However, when the incident is intentional, such as the accessing of a chart by someone outside the patient's circle of care, you can expect that the discipline will be commensurate with the invasion of a patient's privacy.  We have terminated employment, which is something that is hard to do but necessary.


Gillian Howard

Vice President – Public Affairs & Communications

Back to Top