An investigation by the Privacy Commissioner of Ontario into snooping incidents at Lakeridge Health has revealed that the Durham Region hospital network repeatedly failed to protect the personal health information of patients when staff inappropriately accessed confidential medical records without authorization.
In a decision posted online on April 24, an adjudicator with the commission said a systemic review of the hospital network’s privacy policies and procedures arose from multiple snooping incidents reported by Lakeridge Health between 2023 and 2025 across its Durham Region facilities.
Lakeridge Health reported a number of unauthorized accesses to personal health information made by agents of the hospital, including a physician, a unit clerk, a clinical extern, a diagnostic imaging technician, and two registered practical nurses, the decision read. These hospital agents all accessed patients’ personal health information without authority, breaching the Personal Health Information Protection Act known as PHIPA. The breaches all involved different circumstances, including the number of patients affected.
One staff member accused of inappropriately accessing patient files was a physician who saw their hospital privileges suspended on two separate occasions after audits were conducted into the doctor’s access patterns. One audit alone involved inappropriate accesses to personal health information affecting 326 patients, the report noted, representing a significant breach of privacy.
Another case involved a unit clerk at Lakeridge Health. Following a hospital-wide notice sent out about the death of a staff member, the hospital’s privacy office ran audits on all accesses to the deceased’s electronic medical record due to the heightened risk of snooping. The audit showed that the unit clerk had accessed the patient record the day after the staff member died.
A manager later confirmed through additional auditing that the unit clerk had inappropriately accessed the personal information of four patients in total. The unit clerk resigned shortly before the hospital was set to terminate their employment over the breaches. The son of one impacted patient also suspected his own information had been inappropriately accessed, as he believed the staff member in question was his ex-wife. The hospital confirmed the unauthorized access and promptly notified him.
Yet another incident involved a clinical extern at the hospital. Someone came forward to report concerns that their neighbour, a hospital employee, may have inappropriately accessed her personal health information and that of three of her family members without any legitimate medical reason. Following an audit, the employee’s manager confirmed there was no valid reason for her to have made 23 of the suspicious accesses flagged by the privacy review.
The investigation highlights the ongoing challenges that hospitals across Ontario face in protecting patient privacy in the digital age, where electronic medical records can be accessed by thousands of staff members with varying levels of authorization across multiple facilities and departments.
Lakeridge Health serves communities across Durham Region including Ajax, Pickering, Whitby, Oshawa, Clarington, Uxbridge, Brock, and Scugog. The Privacy Commissioner’s decision includes recommendations for the hospital network to strengthen its privacy policies, improve audit systems, and enhance mandatory staff training to prevent future unauthorized access to patient records.
