A Toronto Conservative MPP has apologized for sending an email that left hundreds of her constituents' email addresses visible to everyone who received the message, saying her staff will take steps to prevent such a privacy breach from happening again.

At least one recipient says the incident is not only "amusing and sad," it's a sign of government incompetence.

Christine Hogarth, who represents Etobicoke-Lakeshore, said in a statement on Tuesday that she has informed Ontario Information and Privacy Commissioner Patricia Kosseim of the breach.

Hogarth's office sent one email on Monday evening to update constituents about COVID-19 vaccine appointment bookings for people 80 and older. Then her office sent another that said it was recalling the first email.

In both emails, the CC, or carbon copy field, was used instead of the BCC, or blind carbon copy field, making the hundreds of email addresses visible to all recipients.

"While my intention was to provide important details about vaccines to members of my community, we regret inadvertently sharing peoples' personal email addresses. I am sorry for this error," Hogarth said in the statement.

"In addition to informing the information and privacy commissioner of Ontario, my constituency staff has already begun the process of ensuring this never happens again by switching to a new system that better protects emails and other personal information."

Email sent out with 'little to no preparation,' recipient says

Adam Riggio, 38, a private college instructor who moved out of the riding in July 2020 but still received the emails on Monday, said it's not just a breach of privacy but of cyber security as well.

He said the initial email went out to about 450 people with their addresses visible.

"Within a few minutes, a couple of things happened. A staff member from MPP Hogarth's office sent out a correction that said: 'Please disregard' or something of that nature. Then at the same time, some of the angry 'reply all' people were coming in," Riggio said.

"Some of them were pissed. There were even attempts in the replies by the staff member to apologize."

This is the email sent to constituents on Monday. (CBC)

At one point, one reply looked like it came from Hogarth herself. Riggio said he himself wrote a "passive aggressive" reply all to tell the recipients the email not only violated privacy but cyber security.

"For all we know, for every annoyed person writing reply all or writing back individually to the person who sent this, there could be a spammer or data vacuum happily sucking up these emails. We don't know."

Riggio said the emails were clearly not sent only to people 80 and older.

"It was funny and stupid at the time, as I remarked on Twitter, kind of joking about it," he said.

"But there was also the notion that this struck me so much as just one little micro-level element of the macro-scale incompetence of the vaccination rollout and COVID management that I've been seeing from the provincial government, and I think many of us have been seeing from the provincial government, pretty much ever since the start of the pandemic."

He said the email addresses should have been in blind carbon copy field and the email should have been sent only to people in the target age range. He said "not enough thought" went into the email.

"This announcement went out with little to no preparation," he said.

Riggio acknowledged that the mistake made is a common one, but added: "What's worth getting angry about is what the mistake reveals about the larger phenomenon of the government falling down on the job when it comes to communications of the vaccination rollout."

So my MPP <a href="https://twitter.com/CHogarthPC?ref_src=twsrc%5Etfw">@CHogarthPC</a> just sent email notice of a Seniors’ vaccination clinic to every constituent their office had listed. And left every address in the Recipient field visible. EVERY ADDRESS. Incompetence everywhere with this government. —@adamriggio

Now people in that email thread are spamming us all with anti-vaccine conspiracies, and her comms staff are sending us emails blaming each other for the error. What’s wrong with your office <a href="https://twitter.com/CHogarthPC?ref_src=twsrc%5Etfw">@CHogarthPC</a>? —@adamriggio

The first email, with the subject line, "Attention seniors born in 1941 and before," updated constituents 80 and older about how to book appointments for the COVID-19 vaccine and informed them of the province's online booking system that is launching on March 15.

The second email, with the subject line, "Recall: Attention seniors born in 1941 and before," left all of the email addresses of constituents still visible and said: "Hogarth, Christine would like to recall the message, 'Attention seniors born in 1941 and before.'"

Governments needs to amend privacy laws, expert says

According to the office of Ontario's Information and Privacy Commissioner, the email is about constituency business and that means the matter is not subject to Ontario's public sector privacy laws and the office has no jurisdiction over the privacy breach.

But Kosseim, the commissioner, said in an email on Tuesday that her office has long been calling on governments to amend existing privacy laws to include oversight of political parties and how they collect, use and disclose personal information under their control.

"Ontarians should be afforded control over how their personal information is collected, used, and disclosed, and should have recourse to address situations where their personal information is mishandled, whether accidentally or by design," Kosseim said.

"Privacy breaches through misdirected or mishandled emails are not new phenomenon. This incident is a significant reminder of the importance of having the appropriate policies and administrative safeguards in place when handling personal information."

Privacy lawyer Kirsten Thompson, a partner at Dentons Canada, said these kinds of breaches can have an impact on democracy.

"What happens is people no longer trust MPs or political parties with their personal information. Therefore they don't hand their personal information over. Therefore the democratic process is undermined."