DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

(Follow-up) Doctor named and blamed for patient files found in Regina dumpster; Dickson recommends prosecution

Posted on July 20, 2011 by Dissent

The follow-up on a case of improper records protection/disposal originally uncovered in March, from the Office of the Information and Privacy Commissioner of Saskatchewan:

Saskatchewan’s Information and Privacy Commissioner, Gary Dickson, has issued his Investigation Report H-2011-001 dealing with 180,169 pieces of patient personal health information (PHI) found in a recycling bin in Regina on March 23, 2011. This included 2,682 patient files as well as descriptions of diagnosis, treatment and care of other patients at the Albert Park Family Medical Centre. The trustee responsible for the records is Dr. Teik Im Ooi.

Dickson concluded that Dr. Ooi violated The Health Information Protection Act in multiple ways including:

  • She failed to have appropriate written policies and procedures to protect the patient information entrusted to her;
  • She failed to safeguard patient information when it was moved to off-site storage locations;
  • She failed to have appropriate contracts with service providers; and • She failed to monitor the security of off-site storage facilities.

Dickson stated: “This is without question the largest breach of patient privacy that our office has encountered in eight years since The Health Information Protection Act was enacted.”

Dickson found that as a result of the multiple privacy breaches by Dr. Ooi the patient health information was not protected from viewing by a long list of individuals who would have had no legitimate need to know this patient information. This included her children and their friends, staff and labourers working for the pharmacist next door to Dr. Ooi’s clinic, a construction crew, staff and contractors of a Regina shopping centre and more than 3,600 persons who walked through the basement of the shopping centre to view a haunted house exhibit in October 2010.

The Commissioner made eleven recommendations that included a recommendation to the Minister of Justice that he consider prosecution under The Health Information Protection Act.

The commissioner’s full report can be found here (pdf), and it’s a blistering indictment. The report states, in part

It was determined that the patient records were thrown into the recycling bin by two employees of a contracted maintenance company for Golden Mile Shopping Centre (a building adjacent to Gold Square). We determined that the patient records had been moved from APFMC for storage on the second floor of Gold Square beginning in 2005. By 2007, approximately 150 boxes of patient records had accumulated there. This was the first of five different moves of the patient records that involved two different buildings and four different storage rooms or areas over a period of almost six years. For all intents and purposes, APFMC appeared to have lost track of the records when they were moved from their original location at APFMC in 2005. At that point, there was no record or catalogue of the contents of the boxes. In addition, the boxes were not marked in any sequential fashion to be able to trace their subsequent moves. There was little to no involvement by APFMC in four of the five moves and no supervision by APFMC of the moves nor any inspection of the off-site storage spaces. There was no written agreement between Dr. Ooi and third parties who acted as information management service providers (IMSP). It was determined that from 2007 until March 23, 2011 the large volume of patient phi was unprotected from many persons who would have had no legitimate ‘need-to-know’ that patient information. This included workmen, labourers, staff of Golden Mile Shopping Centre, and a large crowd of more than 3,600 persons who toured the basement where the patient files were stored in an unlocked space during the last three weeks of October 2010.

Although, as noted above, approximately 150 boxes of patient records were moved from APFMC for storage purposes between 2005 and 2007, the discovery of files in the recycling bin leaves unaccounted approximately 125 of those boxes of patient records. More than three weeks into our investigation APFMC advanced a theory that the missing 125 boxes had been moved back to APFMC at some point in 2007. Despite our further investigation, there is no reliable evidence that confirms this theory nor particulars of how such a move happened or who undertook the move. In any event, without an inventory of the box contents before they left APFMC and identification tags or numbers to allow tracing of the files, there is still the problem of a much larger number of patient files that left APFMC and did not end up in the recycling bin on March 23, 2011.

And there’s much more in this very detailed investigative report. Read it all here.

Previous coverage on this blog here.

Related posts:

  • Greenville Hospital System: boxes of business records with patient info from Allen Bennett Memorial Hospital found in unsecured storage building
Category: Health Data

Post navigation

← Russia Amends Federal Data Protection Law; Privacy Enforcement on the Rise
WA: Social Security Numbers of 20,000 Swedish Med. Ctr. employees exposed on the web for 9 weeks →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.