1,041 P.E.I. dental patients identified in privacy breach

P.E.I.’s privacy commissioner says an employee of a dental office on P.E.I. disclosed sensitive, personal health information belonging to more than 1,000 patients to a member of that staff person’s family — all just to show that they were really at work at the clinic.

Police say employee forwarded sensitive emails just to prove to a family member they were really at work

P.E.I.'s privacy commissioner reported on a privacy breach involving most, if not all, 1,041 patients of a dental clinic. (Kerry Campbell/CBC)

P.E.I.'s privacy commissioner says an employee of a dental office on P.E.I. disclosed sensitive, personal health information belonging to more than 1,000 patients, to a member of that staff person's family.

The commissioner said in some cases the information, contained in emails forwarded from the dental office all to the same recipient, included patients' banking and credit card information and results of medical tests.

And while Privacy Commissioner Karen Rose said the information could have been used to commit identity theft or fraud, in her report she noted police were satisfied the emails were forwarded to the recipient simply to prove that the staff person sending them was actually at work.

Privacy commissioner, police called in

According to Rose's review the dental office discovered the breach through an internal investigation around December 2017. The employee in question was immediately terminated, and the privacy commissioner and police were notified.

In her report, Rose said the dental office in question was satisfied, based on interviewing the staff person in question, that the unauthorized personal disclosures "were not for any illegal or nefarious purposes, e.g. to facilitate the commission of crimes such as theft, fraud, or harm to property, or to embarrass or harass the clients."

Furthermore, after interviewing the person who received the emails, police "were satisfied that the recipient had no interest in the content of the emails from the employee, apart from confirming the employee's presence at the workplace."

As the emails were forwarded to the recipient's work email address, written certification was provided from their employer that every email and attachment had been "securely destroyed" and none of the emails had been forwarded to another address.

1,041 patients notified

When the commissioner ordered the dental office to provide written notification to all patients whose personal information had been disclosed, the dental office sent notification to all 1,041 patients who were registered there at the time.

Privacy Commissioner Karen Rose ordered the clinic inform all patients whose personal information had been disclosed. The clinic informed all 1,041 people who had been patients at the time the breaches occurred. (Krystalle Ramlakhan/CBC)

A spokesperson for the commissioner's office said information belonging to most of the patients had been disclosed, and said the commissioner proceeded as if all their information had been disclosed.

While some of the forwarded emails were personal emails between individuals and the dental office, others were not, raising the possibility that internal emails from the dental office containing personal information for multiple clients may have been forwarded.

Credit monitoring offered

The commissioner said the dental office had not been maintaining "reasonable safeguards" to prevent disclosures of patient information, but concluded steps taken since the breach, including the hiring of an IT security specialist, had addressed that shortcoming.

The dental office also offered to provide credit monitoring services to seven individuals whose credit card or banking information was disclosed.

In ordering the dental office to notify patients whose information had been disclosed, the commissioner acknowledged the possibility the disclosure could "have an adverse impact on the mental, physical, economic or social well-being of the individuals to whom the personal health information relates."

She also noted that deleting the emails doesn't erase the fact that someone has seen them.

"The fact remains that the recipient viewed personal health information, and that the personal health information cannot be unseen by the recipient.... I find that there is a reasonable expectation that the recipient may have recognized a client's name, or still recalls the content of at least some of the emailed records."

More P.E.I. news


Kerry Campbell

Provincial Affairs Reporter

Kerry Campbell is the provincial affairs reporter for CBC P.E.I., covering politics and the provincial legislature.