A privacy breach by a doctor at the Dr. Georges-L.-Dumont University Hospital Centre in Moncton is unprecedented, according to the head of the province's regulatory body for doctors.

Radiation oncologist Dr. Fernando Rojas accessed the files of 142 patients without their permission from hospital computers over a two-year period, dating back to 2010.

CBC News spoke with several of the affected patients and uncovered a pattern — they were all women in their early 20s to early 30s who are either current or past hospital employees.

Dr. Ed Schollenberg, registrar of the College of Physicians and Surgeons of New Brunswick, says no matter who the patients are, doctors must follow a code of ethics.

There is also legislation that clearly outlines boundaries when it comes to accessing patient medical files, he said.

TB patient

A doctor at the Dr. Georges-L.-Dumont University Hospital Centre gained unauthorized access to patient information, ranging from diagnosis to medicare number and address. (CBC)

The act, which came into effect in 2010, states: "A custodian shall not use personal health information except as authorized under this Division."

It also stipulates that "every use by a custodian of personal health information shall be limited to the minimum amount of information necessary to accomplish the purpose for which it is used."

Investigation ongoing

The Vitalité Health Network and the provincial privacy commissioner's office are investigating.

Rojas continues to work in the hospital's oncology department, but his access to electronic files is limited and monitored.

The files contain a patient's basic information, such as address and date of birth, to more detailed reasons for referrals, diagnosis, tests and results.

The affected patients CBC News spoke to say they can't think of a reason Rojas needed to access their information.

While they worked with him at some point, they were not his patients and they want to know what his motivations were.

They say they're in shock, confused and want Vitalité and the privacy commissioner to get to the bottom of the situation.

The patients, who were recently notified by Vitalité about the breach, which was uncovered during a routine audit a year ago, can call the health authority's privacy office to find out when Rojas accessed their files, what information he may have looked at and how often.

Some of the women told CBC News Rojas looked at their file once, but in other cases, he looked multiple times, they said.

Vitalité says if disciplinary action is required, it will be taken after its investigation is complete.