A breach at Rouge Valley Centenary that involved the contact information of 8,300 new mothers possibly being sold by two employees to multiple Registered Education Savings Plan (RESP) companies may also have affected new mothers at Rouge Valley Health System’s (RVHS) Ajax and Pickering site as well.
It is not clear, however, whether the same two employees were responsible. CP24 has the update.
In June, a $412 million potential class action lawsuit was filed against Rouge Valley Centenary.
On August 8, RVHS posted a notice to patients on its website, linked from the home page:
Notice to patients of the Rouge Valley Centenary Birthing Centre unit between November 2009 and early July 2014, and Rouge Valley Ajax and Pickering Maternal and Newborn Services unit between April 2014 and early July 2014
In compliance with section 12(2) of the Personal Health Information Protection Act, this notice is to notify the above noted patients of a privacy breach which was confirmed in early July 2014.
For some time, the hospital’s birthing centres offered baby photography services through Just Arrived Baby Photography (the photographer). The photography service has been in place at our Rouge Valley Centenary (RVC) campus since November 2009 and at the Rouge Valley Ajax and Pickering (RVAP) campus since April 2014. We have recently learned that instead of simply receiving the name and room number of new mothers to determine whether new mothers would like to receive the photography services offered, the photographer was provided with a list daily which contained patient name, room number, age, gender, physician name, length of stay in hospital, type of diet (RVAP only), type of room accommodation in hospital (RVC only) and reason for admission to hospital (RVC only).
The list was only used to approach new mothers in the hospital to offer photography services. It was not used for any other purpose and it was not provided to any third party. The list never left the hospital, and it was shredded by the photographer.
The hospital takes privacy protection very seriously and sincerely regrets this breach of privacy. We are conducting a review of our practices to ensure that privacy is protected. The Information & Privacy Commissioner/Ontario has also been notified.
If you would like to discuss this matter or you have any questions, please do not hesitate to contact our Patient Relations office at [email protected] or call 416-284-8131 ext. 4742.
The notice is somewhat puzzling as it seems to say an external breach didn’t happen via the photography service, but it doesn’t explain what did happen or how the external breach occurred.
Update: Toronto Star reports that the second location had 6,000 patients affected.