Third-party storage company destroyed patient charts damaged in flood
The Office of the Information and Privacy Commissioner of Ontario (IPC) has recommended that a medical centre ensure that future notices to patients regarding the loss of their records comply with Ontario’s Personal Health Information Protection Act, 2004 (PHIPA).
In A Medical Centre (Re), 2026 CanLII 3338 (ON IPC), after the medical centre took over a medical practice, the IPC received a complaint that the medical centre failed to respond to a request for access to paper medical charts held originally by the medical practice.
According to the medical centre, after the takeover, it digitized some patient charts in its electronic medical records system and entered into an arrangement with a third-party service provider for the off-site storage of the remaining paper charts.
The medical centre claimed that it initially could not process the access request because the storage company did not respond to its letters or telephone calls.
In a June 2023 letter to the medical centre, the storage company explained that a flood had damaged the charts stored in the basement, forcing it to professionally and securely destroy the wet and mouldy documents.
In a final decision, the medical centre determined that the records responding to the access request no longer existed.
The IPC investigated the matter due to its concerns about whether the medical centre had implemented reasonable information security practices in the circumstances to protect the personal health information against loss.
An IPC investigator urged the medical centre to ensure that any notices to affected individuals include a statement informing them of their right to file an IPC complaint, as required by s. 12(2)(b) of PHIPA, in future privacy breaches involving the theft, loss, or unauthorized use or disclosure of personal health information in its custody or control.
The investigator characterized the destruction of the records as a loss of personal health information under s. 12(1) of PHIPA and thus a privacy breach.
The investigator determined that the medical centre did not take reasonable steps in the circumstances to protect the personal health information in its custody or control against loss under s. 12(1) and insufficiently notified the affected individuals under s. 12(2)(b).
The investigator held that the medical centre fell short of the practices recommended in the IPC’s guidance on contracting with third-party service providers because its arrangement with the storage company did not adequately address flood damage and other environmental risks associated with off-site physical storage.
However, the investigator acknowledged that the medical centre took meaningful investigative and remedial steps to address the privacy breach and prevent a similar loss in the future. The investigator noted that the medical centre:
The investigator saw no evidence of any ongoing risk to personal health information. The investigator concluded that a discretionary review under s. 58(1), part VI, of PHIPA would be unnecessary.
