Medical data of 150 Toronto hospital patients allegedly used to extort money from company

TORONTO -- A Toronto hospital says that roughly 150 patients have been impacted by a data breach after a third-party employee allegedly stole medical reports in an effort to extort money from their company after being let go.

According to a letter sent on Sept. 30 by a privacy and information access specialist at Unity Health Toronto, a network of Catholic hospitals in the city, the incident involves an outside company used to transcribe clinical notes dictated by physicians working at St. Michael’s Hospital.

“On May 13, 2020, we learned that a former employee of the company had taken and kept copies of several reports that he had transcribed,” the letter, which was obtained by CTV News Toronto, said. “The former employee held onto the reports improperly after his employment with the company ended.”

According to Unity Health Toronto, that employee used the reports “in an effort to get the company to pay money to him” on March 9.

The reports contained notes about patient care and could include full names, medical and family history, clinical diagnosis, treatment assessments and medications. The health network stressed that no financial information was shared and that the documents did not include the patients’ Ontario Health Insurance Plan numbers.

In a statement issued Wednesday, St. Michael’s Hospital said that the incident has been reported to law enforcement authorities as well as the Information and Privacy Commissioner of Ontario.

St. Michael's Hospital told CTV News Toronto the third party company is Nuance Communications Inc., which is based in the United States.

“St. Michael’s Hospital is working with the outside vendor responsible for this incident to learn more about what happened and what steps they are taking to fix it,” the hospital said. “We take this matter seriously and have notified all impacted patients.”

In the letter to patients, Unity Health Toronto says that police officers have seized the computer on which the reports are believed to be stored and that there is a court injunction preventing the individual from further accessing or sharing the information on the reports.

“The company has also told us that they have enhanced their information security practices to prevent this type of incident from recurring, and have reeducated their staff on patient confidentiality and the appropriate use of patient information,” the letter reads.