We value your privacy

Any disclosures of breaches of private patient information or of any misplaced confidential documents will be published on this page.

This is in keeping with the Personal Health Information Protection Act and with our own Strategic Plan-On-A-Page, which states that we are “Accountable for our resources, our services and our behaviours” and that we are “Honest and trustworthy.”

Rouge Valley Health System Disclosures

May 16, 2011 – Rouge Valley Health System (RVHS) is reminding all staff and physicians not to carry confidential information on an unencrypted memory stick.

Two weeks ago, RVHS became aware of a privacy breach involving a lost universal serial bus (USB) memory stick with letters to 73 patients. RVHS is taking action to prevent any future possible issues such as this, as patient confidentiality is a priority of the hospital and a legal requirement. The loss of the USB key in this case involved a staff member who cannot locate the small device.

Storage of information on the USB memory stick represents a breach of current RVHS policy (2009) and practices. Corrective and disciplinary measures are taking place while attempts to recover the missing device are ongoing.

We have recently informed and apologized to patients about the lost USB memory stick. The Information and Privacy Commissioner's (IPC) Office has been notified.

For more information, please contact David Brazeau, RVHS director of public affairs and community relations, at 647-294-8885 or at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

View RVHS policy on the use of mobile devices and transporting hard copies of personal health information.

Frequently asked questions

Here are answers to some frequently asked questions regarding this information breach.

1. What is the name of the person who disclosed the personal health information?

   We are not identifying the person, other than to state that the employee is a Speech Language Pathologist. The individual self reported the loss, and our legal counsel has advised that disclosure of the individual’s name is inappropriate.

   We take full responsibility for this serious incident. Strong disciplinary actions were taken and further education has been provided for this hospital employee. We have also increased our education for all employees and doctors on the issue of secure containment of patient information. We are reminding people of our two-year-old policy banning the use of unencrypted USB memory sticks.

2. What is happening to the person who made the disclosure?

   The hospital takes this breach of your privacy very seriously. We have disciplined the hospital employee — and because we believe that it is important to encourage self-reporting of errors of this type so that we can take appropriate action, the discipline stopped short of termination of employment. The discipline is, however, significant and impactful to the individual involved.

   We provide employees who need to carry patient information with encrypted and password-protected USB memory sticks, and we have also created a secure internal access to such information for appropriate professionals in order to eliminate the banned use of unencrypted USB memory sticks. Our staff are aware of the importance of this issue and of the consequences of violating the policy. Ongoing communication will continue with staff on this matter.

3. Has the hospital contacted Service Ontario (previously OHIP office) and informed them of the names and/or numbers of health cards that were on the missing USB memory stick?

   The hospital has contacted Service Ontario to inform them that the loss occurred and that they will likely receive requests for new health cards. No specific details were provided to Service Ontario, as none were required. No health card has been invalidated, as the replacement of cards rests with the individual affected. We have also contacted the Information and Privacy Commissioner’s Office.

   Some letters that were on the lost USB memory stick contained health card numbers, while others did not. We have contacted patients and asked them to call Nancy Walton at the hospital (at 416-281-7083) to find out if their health card number was compromised. The Information and Privacy Commissioner’s Office recommends that patients whose health card numbers were compromised should replace their cards with new ones through Service Ontario.

4. How do patients replace their health cards?

   Patients can replace their health card by going to the nearest Service Ontario office and informing them that they require a new card and new number. They will need to bring three pieces of official identification (for example — Driver’s License, Health Card, Birth Certificate). Find a Service Ontario office.

5. Will the hospital reimburse affected people for the cost of replacing a health card?

   There is no charge to replace a health card. However, for patients choosing to replace their health cards, the hospital will reimburse them for other costs that may be incurred for doing so. They should keep receipts of their costs for parking and travel related to replacing the card. The hospital will reimburse them using our standard of 40 cents per kilometre to cover your mileage from home to the closest Service Ontario office.

6. What specific information was disclosed?

   The USB memory stick contained letters to 73 patients, from 2003 to 2011, with some of their personal health information included. Each letter had different patient-specific information.

7. How do you know what information was on the USB memory stick if you cannot find it?

   The employee who disclosed the loss also had a back-up copy of the files that were on the missing USB memory stick.

8. Is the hospital continuing to search for the memory stick?

   Yes, we continue to search for the missing USB memory stick.

9. Has the hospital notified all people who have made referrals to the employee involved in this incident that a breach of privacy occurred?

   We have attempted to contact all patients who had information on the missing USB memory stick — but not all patients who had professional dealings with the employee, nor all persons who have made referrals to the employee. We are rigorously following the requirements and the advice of the Information and Privacy Commissioner’s Office on this serious matter.

10. How will the hospital prevent someone who may find the missing USB memory stick from accessing those private health card numbers that were contained in some of the letters?

    Letters to each of the 73 patients directed them to contact the hospital to find out if their health card number has been compromised. For those patients whose health card number has been compromised, it is advised by the Information and Privacy Commissioner’s Office that they report the incident to their local Service Ontario office in order to replace their health card and number.

    Once a health card has been reported by the owner to Service Ontario as being compromised, it is recorded in the government’s database. This database is used in hospitals for health card validation. If a compromised card is used, it will be checked against the database and a message would be displayed to the hospital indicating that the health card is not valid.

11. Will the hospital be following up with further correspondence to the patients?

    We have informed and apologized to all of the patients affected. If the USB memory stick is found, we will inform them. This is the most current information.

12. How were patients informed?

    The hospital informed affected patients via registered mail through Canada Post, as this is one of the most secure means to send mail. Telephone calls were also made by the hospital to each patient’s home.