Dissent Doe  

A patient at Woodstock Hospital in Ontario wants to know why the hospital never referred an insider-wrongdoing breach to the police. It's a fair question considering that the improper access affected 56 patients and took place between January and May.

https://www.woodstocksentinelreview.com/news/local-news/patient-frustrated-by-woodstock-hospital-privacy-breach

#databreach #privacy #PHIPA #OIP

@brett

Patient frustrated by Woodstock Hospital privacy breach | The Woodstock Sentinel Review

Unauthorized employee accessed patient records, hospital officials confirm in a statement

The Woodstock Sentinel Review
Aug 1, 2024 at 8:58pmWeb
Show threadhal8999Aug 1, 2024

@PogoWasRight @brett What was the crime the police were supposed to investigate?

A person with valid credentials used a system which he was allowed to use.

The system did not have internal controls to limit data access.

Show threadDissent Doe  Aug 1, 2024
@hal8999 @brett As the article notes, an offense under #PHIPA can potentially result in imprisonment.
Show threadhal8999Aug 1, 2024

@PogoWasRight @brett Irrelevant regarding the local PD.

The article had a quote from the authority having jurisdiction: Ontario’s Information and Privacy Commissioner.

The local PD is not the AHJ, and would have no ability to swagger into a hospital and say, "Give us all your logs."

The actual authority would.

Show threadDissent Doe  Aug 1, 2024

@hal8999 @brett

Can the OIP send someone to prison?

Show threadhal8999Aug 1, 2024

@PogoWasRight @brett If it's in their authority, then it could happen. But based on the scale and how they've written the regulations. Not just because an event happened.

In the U.S., HIPAA violations are determined by the Office of Civil Rights (OCR is part of the Department of Health and Human Services), and refers to the Department of Justice for criminal investigation and prosecution.

In Canada, it would be referred to the Attorney General or an agent of the Attorney General for investigation.

Show threadDissent Doe  Aug 1, 2024

@hal8999 @brett

Thanks for explaining all that. In the U.S., we have seen entities directly refer to police under state laws. I guess I was thinking the same might be true in Ontario. I guess it isn't.

Show threadhal8999Aug 1, 2024

@PogoWasRight @brett I'm in the U.S. This wouldn't go to police here.

I did have a Sheriff call because a 'citizen' kept harassing them about a fax auto-dialer waking him up, an that it must be a HIPAA crime.

So, they officially referred the case to the facility so they could tell the citizen to stop bothering their staff.

Where would your local LEA get involved? Just curious.

Show threadDissent Doe  Aug 1, 2024

@hal8999 Well, since I can't access my site just now to start to search for cases like that, I'll have to get back to you. But I do keep track of reported/disclosed insider-wrongdoing cases in US healthcare sector and some have definitely referred to local law enforcement. Unfortunately, when you read those disclosures, you don't find out what happened later with law enforcement.

@brett

Show threadDissent Doe  Aug 2, 2024

@hal8999 @brett

OK, I was able to access my own site for a while, so I searched for some examples. Many insider breaches get reported to federal authorities, which we both already acknowledged. For healthcare entities, here are two examples of local police getting involved:

Tempe nurse assistant stole patient identities to open bank accounts, lease apartments, police say:

https://www.12news.com/article/news/crime/tempe-nurse-stole-patient-identities-open-bank-accounts-lease-apartments/75-b19954ea-5e4d-4c77-84e6-80764d6c0c51

Ex-Nursing Home Employee Used Patient’s ID To Pay Bills: Police

https://patch.com/illinois/palos/ex-nursing-home-employee-used-patients-id-pay-bills-police

So it may not be common, but it does happen occasionally, I guess.