An investigation by the Privacy Commissioner of Ontario into snooping incidents at Lakeridge Health has revealed that the hospital network repeatedly failed to protect the personal health information of people in their care when staff inappropriately accessed patient files.
In a decision posted online, an adjudicator with the commission said that a “systemic review” of the Durham Region hospital network’s privacy policies and procedures arose from a number of snooping incidents reported by Lakeridge Health between 2023 and 2025.
“Lakeridge Health reported a number of unauthorized accesses to personal health information made by agents of the hospital, including a physician, a unit clerk, a clinical extern, a diagnostic imaging technician, and two registered practical nurses,” the decision, published on April 24, read.
“These hospital agents all accessed patients’ personal health information without authority, breaching the Personal Health Information Protection Act (PHIPA). The breaches all involved different circumstances, including the number of patients affected.”
One staff member accused of inappropriately accessing patient files was a physician, who saw their hospital privileges suspended on two separate occasions after audits were conducted into the doctor’s accesses. One audit involved inappropriate accesses to personal health information involving 326 patients, the report notes.
Other inappropriate accesses allegedly involved a unit clerk at Lakeridge Health. Following a hospital-wide notice sent out about the death of a staff member, the hospital’s privacy office ran audits on all accesses to the deceased’s electronic medical record due to the risk of snooping. An audit showed that the unit clerk accessed the patient record the day after the staff member died, the investigator said.
According to the review, a manager later confirmed in an audit that the unit clerk had inappropriately accessed the personal information of four patients. The unit clerk resigned shortly before the hospital was set to terminate their employment, the review said.
According to the investigator, the son of one of the patients impacted by the unit clerk’s breaches told the hospital that he too suspected his information had been inappropriately accessed, as he believed the staff member in question was his ex-wife.
“The hospital confirmed that the unit clerk was the son’s ex-wife and ran an additional audit, this time into accesses to the son’s personal health information. The hospital found that the unit clerk had accessed his personal health information twice in April 2023,” the decision read.
“The son was notified of this unauthorized access a day after he first reached out to the hospital with his concerns.”
A clinical extern at the hospital was investigated, the review notes, after someone came forward to report concerns that their neighbour, a hospital employee, may have inappropriately accessed her personal health information and that of three of her family members.
Following an audit, the employee’s manager confirmed that there was “no reason for her to have made 23 of the suspicious accesses.”
The decision notes that while investigating all of the aforementioned unauthorized accesses involving hospital employees, the hospital did not remove any agents’ access to electronic health records at the outset of the investigations, allowing staff suspected of snooping to “continue further unauthorized accesses in some cases.”
“The hospital also took a significant amount of time to notify the affected individuals in at least three cases,” the decision read.
CP24 reached out to Lakeridge Health for comment but did not receive a response.
The document states that prior to the latest incidents, the hospital had reported three similar snooping incidents to the IPC and in a decision in that review, the investigator said that the hospital had committed to “review and amend its privacy policies, as well as training, educational and informational materials, in order to target and prevent breaches.”
In the wake of the earlier breaches, the hospital did outline steps it had taken to prevent future snooping incidents.
The hospital, according to the reviewer, said improvements were made to the definition of “circle of care” to give health care providers a better understanding of implied consent to collect, use, or disclose personal health information.
“The hospital states that many unauthorized accesses occur due to not fully understanding this concept but also notes that health care providers may sometimes be ‘exploiting uncertainty to attempt to justify snooping,’” the report read.
Additionally, the hospital said that an introduction was added to its guidance document to emphasize the importance of protecting information and preventing the loss, theft, and unauthorized access, collection, use, and disclosure of personal health information.
“Despite these changes, the hospital continued to report unauthorized accesses to the IPC and the IPC continued to open files to address these breaches,” the report noted.
The hospital reported eight snooping breaches to the IPC in 2023, another eight in 2024, and five more between January 1, 2025, and August 18, 2025, prompting a systemic review of the ongoing unauthorized accesses occurring at the hospital, the investigator wrote.
In response to the findings in the review, the investigator ordered that the hospital take a number of additional steps to protect personal health information of patients, including a requirement that the hospital make a decision on interim removal of access to health records “at the outset of the investigation” and “as necessary during the investigation.”
The hospital must also “clearly set out the considerations the hospital will evaluate when making its decision on removal of EHR access.”
Lakeridge Health has also been ordered to “provide target timelines for investigations into unauthorized accesses and clearly establish the steps the hospital will take within those investigations.”
The hospital must also notify affected individuals at the “first reasonable opportunity” even if an investigation is ongoing and disciplinary measures have yet be determined.
