Informationmanagers.ca Logo
PHIPA Administrative Monetary Penalty

PHIPA Administrative Monetary Penalty

 436 Patient Records. One Clerk. A $2,000 Fine. What Your Organization Needs to Know.

PHIPA Decision 334 from the Information and Privacy Commissioner of Ontario is a wake-up call for every health organization.

A hospital clerk spent six months snooping through the personal health information of 436 patients. She lost her job and was personally fined $2,000.

The message is clear: having privacy policies on paper is not enough. Organizations must ensure that staff understand and follow those policies—and be able to prove it. When they cannot, patients lose trust and organizations face increased regulatory scrutiny

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, organizations, and healthcare or public sector institutions. Let’s break down what happened, what the decision found, and how these lessons apply to privacy and records management programs.

What Happened

A patient services clerk at the Children’s Hospital of Eastern Ontario (CHEO) inappropriately accessed the personal health information (PHI) of 436 patients between March and September 2024. The breach came to light when a nurse contacted CHEO’s Privacy Office with questions about her stepchild’s care. The Privacy Office became concerned about how the nurse appeared to know information she should not have known. An audit revealed that a clerk working in the same unit had accessed the child’s record without authorization.

A broader investigation showed that the clerk had accessed:

  • Her own health record
  • Family members’ records
  • Hundreds of other patient records

The information viewed included demographic details, appointment histories, clinical notes, test results, and referral information.

Managing the Breach

We can analyze the hospitals and clinic’s response using the 4-Step Response Plan.

Step 1 – Spot and Stop

The first step is to recognize that a privacy breach has occurred and immediately stop further unauthorized access.

A privacy breach occurs when personal health information is lost, accessed, used, disclosed, or destroyed without authorization.

In this case, CHEO’s Privacy Office received a tip on September 10, 2024, when a nurse raised concerns about her stepchild’s health information.

Step 2 – Investigate

CHEO acted quickly:

  • Conducted an initial audit
  • Placed the clerk on administrative leave
  • Revoked access to the electronic health record system
  • Expanded the audit to six months of activity
  • Conducted formal interviews and justification exercises

The investigation confirmed that the clerk had accessed 436 patient records without authorization.

There was no evidence that she copied, disclosed, or financially benefited from the information.

Remember: Simply viewing a patient record without a legitimate need to know is a privacy breach.

CHEO also confirmed that the clerk had completed initial privacy training and had signed a confidentiality agreement upon hire and a renewal in January 2023.

Step 3 – Notify

When a privacy breach occurs, the right people must be informed promptly.

Internally, notify your Privacy Officer and Custodian immediately.

CHEO reported the breach to the Ontario IPC on October 15, 2024.

CHEO initially notified 189 affected patients by mail. After a more extensive audit identified additional affected individuals, the hospital sent a further 107 notification letters in April 2025. Where current addresses were unavailable, notification letters were added to patient files for delivery at the next visit.

Step 4 – Prevent the Breach from Happening Again

After containing the incident, organizations must take steps to reduce the likelihood of recurrence.

CHEO:

  • Implemented their progressive discipline process.
  • Terminated the clerk’s employment on October 24, 2024.
  • Conducted proactive audits twice monthly for six months.
  • Implemented a comprehensive staff re-training initiative.
  • Reinforced the importance of appropriate access and confidentiality.

Commissioner’s Investigation

The Ontario IPC reviewed the incident and imposed Ontario’s second Administrative Monetary Penalty (AMP) under PHIPA.

An AMP is a financial penalty that the IPC can impose without commencing a court prosecution. The purpose is to encourage compliance and ensure that individuals or organizations do not benefit from privacy violations.

Under the PHIPA AMP regulations:

  • Individuals may be fined up to $50,000
  • Organizations may be fined up to $500,000

In this case, the clerk was ordered to pay $2,000 personally.

CHEO was not fined, but the Commissioner issued two formal recommendations to improve the organization’s ability to monitor, track, and document:

  • Annual privacy training completion
  • Annual confidentiality agreement renewals

 

Demonstrable Accountability

One of the most important lessons from this decision is the concept of demonstrable accountability.

It is not enough to say that staff are trained and confidentiality agreements are renewed annually.

You must be able to prove it.

In this case, CHEO had strong privacy policies and procedures, but it could not produce documented evidence that the employee had completed her 2024 privacy training or re-signed confidentiality agreements in 2023 and 2024.

The Commissioner summarized this principle clearly:

Organizations must “say what they will do, and then do what they say.”

Take-Aways

✅ A privacy breach can start with one suspicious question–train staff to pay attention and speak up.

✅ Having privacy policies is not enough; you must be able to prove your staff are following them.

✅ Track and document annual privacy training and confidentiality agreement renewals for every single staff member.

✅ Curiosity snooping is a serious breach, even when there is no intention to disclose the information.

✅ Simply viewing a patient record without a legitimate need to know is a privacy breach.

Call to action

Want to strengthen your privacy breach response and accountability program?

Join Kayla Das and Jean L. Eaton for our How to Manage a Privacy Breach in Your Canadian Practice Workshop, where we provide practical tools, templates, and training to help your organization respond confidently to privacy incidents and demonstrate compliance.

Reference

Information and Privacy Commissioner of Ontario. PHIPA Decision 334. April 23, 2026. https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/522336/1/document.do

How to Manage a Privacy Breach in Your Canadian Practice

How to Manage a Privacy Breach in Your Canadian Practice

How to Manage a Privacy Breach in Your Canadian Practice Workshop

Have you ever heard about a privacy breach at another practice and thought…

“I hope that never happens to us.”

The reality is — privacy breaches can happen in any healthcare practice, regardless of size, specialty, or technology. Whether it’s a misdirected fax, unauthorized access to a chart, lost device, or cyber incident, breaches are not a matter of if — but when.

What makes the difference is how prepared you are to respond.

I’m tickled pink to  partner with Kayla Das to deliver a live virtual workshop designed to provide practical, step-by-step guidance for Canadian healthcare practices. Kayla Das B.Rec, BSW, MSW, RSW is a trusted Business Coach For Therapists and Counsellors.

Live Virtual Workshop

How to Manage a Privacy Breach in Your Canadian Practice

In this interactive on-line session, we’ll walk you through what to do when a privacy breach occurs — before you ever have to face one in real time.

This workshop is ideal for:

  • Canadian clinic managers
  • Privacy officers
  • Practice owners
  • Social workers, counsellors, and mental health leaders
  • Clinical supervisors and consultants

If you are responsible for protecting patient information, this training will help you strengthen your breach response readiness.

What We’ll Cover

Participants will learn:

  • The difference — and overlap — between confidentiality and privacy
  • Legislative, regulatory, and professional practice requirements across Canada
  • Why privacy breaches are a significant risk you should prepare for
  • How to recognize when a breach has occurred
  • The 4-Step Response Plan for managing a privacy breach
  • Practical steps to prevent breaches before they happen
    … and more

 

Important for Ontario Practitioners

Ontario health information custodians (practice owners) are required to submit annual privacy breach statistics to the Ontario  Information and Privacy Commissioner by March 1 each year.

If you’re unsure what must be reported — or how to prepare — this workshop will address those requirements.

 Workshop Details

This on-demand mini-course, How to Manage a Privacy Breach in Your Canadian Practice is available now!
Mini-course is a replay from a live event hosted by Jean Eaton and Kayla Das on February 24, 2026 that is approximately 85 minutes.

Privacy breaches are stressful — but managing them doesn’t have to be overwhelming when you have a plan.

We hope you’ll join us for this practical, supportive session designed to help you protect your patients, your practice, and your professional reputation.

Privacy Breach Nugget: When Patient “Success Stories” Become a Privacy Breach

Privacy Breach Nugget: When Patient “Success Stories” Become a Privacy Breach

When Patient “Success Stories” Become a Privacy Breach

Privacy Breach Nugget

Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s unpack today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

Cadia Healthcare Facilities, which is a rehabilitation, skilled nursing, and long-term care services provider with 5 locations located in Delaware, US.

Cadia posted patient names, photographs, and detailed health information on its public-facing website as part of a marketing campaign featuring patient “success stories.” These disclosures were made without obtaining valid written authorization from the patients whose information appeared on the website.

4 Step Privacy Breach Response

Cadia’s management of the privacy breach can be examined using the 4 Step Response Plan framework.

Step 1 – Spot and Stop

Cadia had procedures that required employees to obtain a written consent from patients before sharing their testimonials. Despite this, the Office of Civil Rights (OCR) received a complaint in September 2021 alleging that patient information had been disclosed without authorization.

OCR’s investigation ultimately confirmed that the protected health information (PHI) of 150 patients had been disclosed without proper authorization. Cadia was formally notified of these findings in February 2022.

Step 2 – Investigate

Cadia conducted an internal investigation and on March 2022 removed all the success stories from their social media and website and ended the marketing campaign.

However, during this process, the organization deleted the content before confirming which patients had valid written consent on file, making it more difficult to accurately determine the full scope of unauthorized disclosures.

Step 3 – Notify

Cadia initially failed to notify affected patients of the privacy breach, as required. Notification obligations were later addressed as part of the enforcement process. A public notice regarding the breach can now be found on the Cadia website.

Step 4 – Prevent the Breach from Happening Again

According to the OCR settlement details:

  • Cadia agreed to pay a $182,000 USD penalty
  • A Corrective Action Plan (CAP) was imposed, including two years of OCR monitoring and reporting
  • Cadia failed to properly implement its existing administrative privacy policies
  • Cadia is required to:
    • Revise its privacy policies and procedures
    • Provide privacy training to all staff, including marketing personnel
    • Implement stronger authorization processes before using patient information for marketing
  • Cadia must now notify all affected individuals whose PHI was disclosed without authorization

 

Website and Social Media Tips

Custodians are responsible for ensuring that patients’ health information is collected, used, and disclosed in compliance with health privacy legislation, such as Alberta’s Health Information Act (HIA) and Ontario’s Personal Health Information Protection Act (PHIPA).

It’s also important to ensure your practices align with professional college standards related to advertising, professionalism, and confidentiality.

Here are key questions to include in your website and social media compliance checklist before collecting or using patient testimonials:

  • What is your clinic’s approval process before content is posted online?
  • Has the patient provided written consent for their information to be used?
    • If a photograph is included, does the consent explicitly authorize the use of images?
  • Who authorizes the content before it is published?
    • For example: the healthcare provider, lead custodian, social media lead, or privacy officer?
  • Before posting, has the content been reviewed for compliance with:
    • Health privacy legislation?
    • Professional college standards?
  • Does your marketing vendor understand your privacy obligations?
    • Do you have a written agreement in place requiring the vendor to protect the confidentiality of personal health information?

Also See

Is your website secure? Take the Website Self-Assessment from Elevated Business Solutions.

Do you have a website for your healthcare practice in Ontario? PHIPA Website Guide from Elevated Business Solutions will help you.

Take-Aways

The Cadia case is a reminder that policies alone are not enough. Clinics must ensure that privacy requirements are understood, followed in practice, and applied consistently across all teams, including marketing and external vendors. Taking the time to review your website and social media practices now can help prevent a costly and public privacy breach later.

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

References

Cadia Healthcare Facilities. Notice of Success Story Incident. https://cadiahealthcare.com/wp-content/uploads/2025/06/Cadia_Notice-1.pdf

Health and Human Services. HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information. 2025Sept30. https://www.hhs.gov/press-room/ocr-settles-hipaa-with-cadia-healthcare-facilities.html

Help Me With HIPAA. Did Anyone Even Ask If It Was OK? – Ep 531 podcast. 2025Oct17 https://helpmewithhipaa.com/did-anyone-even-ask-if-it-was-ok-ep-531

Why “Demonstrable Accountability” Matters

Why “Demonstrable Accountability” Matters

Why “Demonstrable Accountability” Matters

Does Your Privacy Program Have ‘Demonstrable Accountability’?

The first Ontario decision to include an Administrative Monetary Penalty (AMP) under the Personal Health Information Protection Act (PHIPA) shows how serious the consequences can be when personal health information (PHI) is used for an unauthorized secondary purpose.

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.

What Happened

This case includes the Windsor Regional Hospital, Chatham-Kent Hospital Alliance, Erie Shores Healthcare, WE Kidz Pediatrics, and Dr. Omar Afandi.

Between April 20 and May 7, 2024, Dr. Afandi accessed the shared electronic health record (EHR) system of CKHA’s Women’s and Children’s Program. He used it to identify newborns so he could contact their parents to offer circumcision services at his private practice, WE Kidz Pediatrics.

Several parents reported receiving these unsolicited calls and complained to the hospitals. Dr. Afandi later stated he did not realize these accesses were unauthorized under PHIPA.

Managing the Breach

We can analyze the hospitals’ and clinic’s response using the 4-Step Response Plan.

Step 1 – Spot and Stop

The breach was reported by patients who received unsolicited contact from the physician.

The Chief of Staff wrote to Dr. Afandi on May 15, 2024, advising that his actions constituted an unauthorized collection and use of PHI and inviting him to withdraw his reappointment application with the hospital.

Step 2 – Investigate

The hospital conducted an internal investigation and notified the Information and Privacy Commissioner (IPC).

Records showed that Dr. Afandi had completed Privacy, Security, and Confidentiality training in October 2020 and had signed a confidentiality agreement with WRH. He also confirmed he reviewed WRH’s privacy module again when he reapplied in April 2024.

Step 3 – Notify

The hospitals reported the breach to the IPC on May 31, 2024, and to the College of Physicians and Surgeons of Ontario on June 1, 2024.

Notification letters were sent to potentially affected families the week of July 2, 2024, describing the incident, the PHI involved, and corrective actions. A hotline was provided for questions.

Step 4 –Prevent the Breach from Happening Again

AMP powers to address a privacy breach signal a new era of active enforcement in Ontario’s health privacy landscape.

Administrative Monetary Penalties (AMPs) came into effect under PHIPA on January 1, 2024. This update to the legislation gives the Information and Privacy Commissioner (IPC) authority to issue AMPs of up to $50,000 for individuals and $500,000 for organizations in cases of PHIPA non-compliance.

In this case, the Commissioner exercised those new powers and fined:

  • Dr. Afandi (individual)$5,000
  • WE Kidz Pediatrics (clinic as custodian)$7,500

Both were penalized for unauthorized access and use of PHI for personal gain.

The IPC found that WE Kidz opened without a compliant privacy program — a key factor in the penalty decision. 

WE Kidz was also required to complete privacy training and develop formal privacy policies and procedures. The Commissioner also recommended that WRH improve its record-keeping and monitoring to better demonstrate compliance in future audits.

Commissioner’s Investigation

The IPC emphasized the importance of “demonstrable accountability.”

“Demonstrable accountability” refers to a repeatable and evidence-based system of data governance whereby organizations can show regulators and individuals how they meet their legal and professional responsibilities in practice.

In the data regulatory context, the concept has evolved beyond basic checklist compliance. It now requires organizations to prove that their accountability mechanisms are active and effective — that safeguards are working as intended to reasonably protect personal health information.

In other words, demonstrable accountability means being able to measure, document, and demonstrate that privacy protections are in place, maintained, and effective — not just written in a policy.

Being able to demonstrate compliance is a regulatory expectation under PHIPA — and it’s the key to avoiding costly penalties.

Demonstrable Accountability infographic Information Managers Ltd.

Under Section 10 of PHIPA, custodians must have information practices describing how they collect, use, disclose, retain, and safeguard PHI — and they must comply with those practices in day-to-day operations.

Take-Aways

✅ “Demonstrable accountability” means having evidence that your privacy program is working — not just written policies on a shelf.

✅ Maintain dated policies, training checklists, and signed confidentiality agreements for every team member.

✅ Replace “professional deference” with consistent expectations — all healthcare providers must complete privacy training and demonstrate understanding.

✅ Document and review your privacy program annually to ensure that safeguards and practices are effective in real life.

✅ Unauthorized secondary use of PHI — even for legitimate healthcare services — is a serious breach and can result in financial penalties.

Need Help Training Your Privacy Team?

Join the Practice Management Success Membership to access privacy awareness training, templates, and resources to strengthen your privacy management program.

Reference

Information Privacy Commissioner of Ontario. PHIPA Decision 298. August 28, 2025. https://www.ipc.on.ca/en/decisions/latest-decisions/phipa-decision-298

 

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Investigation Tips Following the NWT Health Authority Incident

When employees make mistakes that result in a privacy breach, the custodian is held responsible to ensure that appropriate investigations are performed. This includes appropriate documentation of the privacy breach incident and sanctions when indicated.

The NWT Information and Privacy Commissioner (IPC) opened an investigation into the Northwest Territories Health and Social Services Authority (NTHSSA) after a reported privacy breach in 2024. This review aimed to assess whether the health authority had adequate safeguards in place to investigate and prevent similar future incidents.

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.

What Happened

In April 2024, a patient filed a complaint with the nurse-in-charge at a health centre in the Northwest Territories. The complaint alleged that a clerk had inappropriately shared the patient’s personal health information with a family member during a casual conversation.

The nurse-in-charge apologized to the patient and escalated the issue to the regional manager. The clerk denied disclosing the health information, but the health authority concluded the incident had indeed occurred.

The Commissioner emphasized that there was no ill intent, stating:

“The interaction between the clerk and the sister was spontaneous and indicates a simple lapse in judgment.”

Managing the Breach

The NTHSSA’s management of the privacy breach can be examined using the 4 Step Response Plan.

Step 1 – Spot and Stop

The privacy breach was identified by the patient and reported to the nurse in charge and escalated to the regional manager.

Step 2 – Investigate

An investigation was initiated. While the clerk denied the allegation, the health authority determined a breach had occurred.

However, the Commissioner noted a serious concern: the investigation was poorly documented. If notes were taken, they could not be located or produced during the review.

Step 3 – Notify

The patient and NTHSSA (the custodian) was aware of the breach. No further notification was required.

Step 4 – Prevent the Breach from Happening Again

The health authority directed the clerk to:

  • Complete updated privacy training
  • Review the oath of office
  • Review patient confidentiality policies

No further disciplinary action was taken.

Commissioner’s Investigation

The IPC made several key recommendations:

  • Equip investigators: Ensure staff who investigate privacy breaches are properly trained and supported to conduct effective, timely, and well-documented investigations.
  • Enforce sanctions: Ensure managers understand the range of disciplinary options available and are aware of their obligation to apply reasonable disciplinary measures when warranted.
  • Annual privacy training: Reinforce the Mandatory Training Policy by ensuring all employees complete refresher privacy training every year.
  • Use real examples: Incorporate this privacy breach as a case study in future privacy training to help employees understand their obligations—at work and outside of work.

Take-Aways

Annual privacy training is not enough.

Training must include real-world, job-relevant examples and emphasize how privacy rules apply in everyday situations.

When employees make mistakes, it’s the custodian’s responsibility to lead an appropriate and well-documented investigation—not just revisit outdated training.

A strong privacy culture includes tools, training, and clarity. Equip your investigators, privacy officers, and managers with the skills they need to respond appropriately.

For more on how to manage privacy-related employee errors, listen to the podcast:

Managing Employees When They Make Mistakes – Episode #105

Need Help Training Your Privacy Team?

Ask me about Practical Privacy Officer Strategies training to strengthen your internal investigation process and build a more resilient workplace.

Reference

NWT IPC File Number: 24-950-6 on April 4, 2025Northwest Territories Health and Social Services Authority (Re), 2025 NTIPC 97 (CanLII), <https://canlii.ca/t/kc0s6>, retrieved on 2025-06-09

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA