An Otter Disaster: IPC Responds To Self-Reported Hospital Privacy Breach Involving AI-Powered Transcription Tool

On October 27, 2025, the Information and Privacy Commissioner of Ontario (IPC) published its response to a hospital’s self-reported privacy breach under the Personal Health Information Protection Act (PHIPA) whereby a virtual meeting involving the discussion of patient information was inadvertently recorded and transcribed by an artificial intelligence-powered transcription tool (Otter.ai).

Two critical security gaps led to this breach: (i) a former physician at the hospital used his personal email address to attend work meetings contrary to hospital policy; and (ii) that same physician was not removed from a recurring meeting invite, despite his departure from the hospital in 2023. The physician created an Otter.ai account using the same personal email address in 2024, which gave the tool access to his calendar and enabled it to join the hospital’s virtual meeting and transcribe the discussion. The meeting participants were unaware of Otter.ai’s presence until a transcript of the meeting was emailed to the invitees afterwards.

To contain the breach, the hospital cancelled the recurring meeting invite, instructed all invitees to delete any copies of the meeting transcript, and directed the former physician to contact Otter.ai to request deletion of the transcript from its records. The hospital also notified the affected patients (or their estates, where possible) of the breach. To prevent future breaches, the hospital’s AI governance program implemented firewalls for various AI transcription tools, updated its training materials to address AI use, and updated its policies to prevent the use of unapproved digital tools by hospital employees.

The IPC recommended that the hospital take additional measures, such as:

• Submitting its own formal request to Otter.ai to delete the meeting transcript from its records;
• Updating its breach protocols to require immediate contact of third-party organizations to request the deletion of any personal health information (PHI) collected without authorization in similar circumstances;
• Updating its Acceptable Use Policy to ensure personal devices are not used to conduct hospital work;
• Enforcing the use of a “lobby” for virtual meetings where PHI is discussed; and
• Auditing its offboarding process to ensure departing employees’ access to hospital systems, including calendars, are revoked.

The hospital was asked to provide an update to the IPC on the implementation status of these recommendations by January 27, 2026.

Summary By: Amy Ariganello