Personal information of roughly 150 patients of Toronto-based St. Michael’s Hospital has been stolen in a data breach, allegedly by a former third-party employee accused of taking them while on duty.
According to a letter obtained by a local news channel, Unity Health Toronto, the entity overseeing three Catholic hospitals in the city, including St. Michael’s, learned of the incident on May 13.
“We learned that a former employee of the company had taken and kept copies of several reports that he had transcribed,” the letter reads. “The former employee held onto the reports improperly after his employment with the company ended.”
The transcribed clinical notes dictated by St. Michael’s physicians were allegedly used to extort payment from the company. Although the reports included no financial information or insurance numbers, the rogue employee allegedly stole sensitive patient data such as full names, medical and family history, diagnosis, treatment plans and medication.
On Wednesday, St. Michael Hospital officials said that the incident was reported to local law enforcement and Ontario’s privacy watchdog.
“St. Michael’s Hospital is working with the outside vendor responsible for this incident to learn more about what happened and what steps they are taking to fix it,” the statement reads. “We take this matter seriously and have notified all impacted patients.”
Moreover, Unity Health Toronto reported that police officials seized the computer on which the reports were stored. Unity Health said that they have enhanced information security practices and trained staff on patient data confidentiality and proper use of patient information to prevent future incidents.
As a side note, the latest alert posted on Unity Health’s official website is warning patients of fake text messages requesting personal information.
“Please do not respond and if you have any questions, direct them to your health care team,” Unity Health said. “Unity Health Toronto does not send unsolicited emails, text messages, nor make telephone calls asking for information, such as a photo of your health card.”