Another Administrative Monetary Penalty Under Ontario’s PHIPA Issued

On April 23, 2026, the Office of the Information and Privacy Commissioner of Ontario (IPC) released PHIPA Decision 334 (the Decision), in which the IPC issued its second administrative monetary penalty (AMP) under Ontario’s Personal Health Information Protection Act (PHIPA).

The Decision concerns a privacy breach at the Children’s Hospital of Eastern Ontario (CHEO) in which Isabelle Robinson, a patient services clerk, inappropriately accessed the personal health information (PHI) of 436 patients between March and September 2024. The breach first came to light after a nurse contacted CHEO’s Privacy Office with questions regarding her stepchild’s care. This prompted CHEO’s Privacy Office to investigate how the nurse, who was not the child’s legal guardian, knew certain specifics about the child’s treatment. An audit revealed that Ms. Robinson (who worked with the nurse) had accessed the child’s record without authority, leading CHEO to review her broader activity in the hospital’s electronic health record system.

CHEO’s investigation found that Ms. Robinson had accessed not only her own health record, but also the medical records of family members and many other adult and pediatric patients. Ms. Robinson accessed a wide variety of information, including patient demographics, various reports, clinical notes, and appointment history. However, CHEO found no evidence that she copied, retained, or disclosed any of the PHI she accessed. CHEO reported the breach to the IPC.

After the determination that Ms. Robinson’s access was unauthorized, the Decision focused on three key issues: 1) whether CHEO complied with its obligations to protect the PHI in its custody or control; 2) whether CHEO responded adequately to the breach; and 3) whether an AMP should be imposed on Ms. Robinson.

On the first two issues, the IPC found that the steps taken by CHEO to protect the PHI in its control were reasonable in the circumstances and that its response to the breach was timely, methodical, and responsible. Although the IPC made minor recommendations regarding employee privacy training and the tracking of confidentiality agreements, it concluded that CHEO had complied with its obligations under PHIPA.

On the third issue, the IPC imposed an AMP of $2,000 on Ms. Robinson. The IPC found that doing so aligned with the purpose of the statutory power to encourage compliance with PHIPA and reflected the seriousness of Ms. Robinson’s unauthorized snooping.   

Summary By: Claire Bettio