Information and Privacy Commissioner Orders $2,000 Penalty
In a previous blog, “Snooping and Unauthorized Access to Medical Records”, we wrote about the rise of snooping cases in recent years. Amendments to the Personal Health Information Protection Act, 2004 (PHIPA) in 2020 gave the Information and Privacy Commissioner of Ontario (IPC) the power to impose administrative monetary penalties (AMPs) on those who snoop in medical records, and AMPs went into effect in January 2024. To date, only two decisions have been released that order AMPs, the most recent of which was released on April 23, 2026.
The first AMP was ordered in Decision 298 in August 2025, in which a doctor was ordered to pay a $5,000 penalty for accessing and using patients’ hospital records without authorization for personal financial gain, and a related clinic was ordered to pay a penalty of $7,500 for failing to meet its most basic obligations under PHIPA, including failing to have any privacy management program in place and imposing no limits on the physician’s authority to collect, use, or disclose personal health information. Now, a second decision, Decision 334, has been released, providing more information about how AMPs will be applied in the future.
What Happened in Decision 334?
The IPC received a breach report from the Children’s Hospital of Eastern Ontario (CHEO), which alleged that a patient services clerk inappropriately accessed the personal health information of 436 patients. Investigations conducted by CHEO and the IPC revealed that the clerk was using the electronic health record’s “patient lookup” feature to search for patients by name in order to view information such as their clinical notes and appointment history, including in the records of her own family members. As a result, the clerk was terminated from CHEO.
In its review, the IPC determined that CHEO responded in a timely, methodical and responsible manner once it discovered that the clerk was snooping. CHEO took immediate steps to contain the breach, determine its scope, notify affected individuals, report the breach to the IPC, investigate the cause of the breach, and undertake remedial measures to mitigate the chances of the breach recurring. As such, the IPC found that no orders or further recommendations to CHEO were warranted.
Why Was an AMP Ordered?
The IPC relied on its guidance document in determining whether to order an AMP against the clerk. This document describes the general approach that the IPC adopts when determining if an AMP is warranted:
AMPs are part of the IPC’s broader regulatory toolkit for encouraging compliance with PHIPA in a manner that is flexible, balanced, and progressive. The IPC’s ability to directly impose AMPs provides additional flexibility to address contraventions of PHIPA with appropriate and meaningful consequences, depending on their level of severity. AMPs are but one option among the range of escalating actions and interventions available to the IPC, short of referring offences to the Attorney General of Ontario for prosecution.
The IPC takes a measured and proportionate approach to assessing the most appropriate way of addressing each contravention. Similar to the values and principles underlying a just culture approach, we apply our statutory responsibilities in a way that balances the need for accountability and continuous learning. A just culture approach generally emphasizes the value of openly reporting and learning from medical errors that occur in complex systems, while reserving more severe consequences for cases where stronger interventions are necessary to ensure proper accountability.
The criteria for determining the amount of an AMP are set out in section 35(3) of Regulation 329/04 to PHIPA. These criteria are:
The extent to which the contraventions deviate from the requirements of the Act or its regulations.
The extent to which the person could have taken steps to prevent the contraventions.
The extent of the harm or potential harm to others resulting from the contraventions.
The extent to which the person tried to mitigate any harm or potential harm or took any other remedial action.
The number of individuals, health information custodians and other persons affected by the contraventions.
Whether the person notified the Commissioner and any individuals whose personal health information was affected by the contraventions.
The extent to which the person derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contraventions.
Whether the person has previously contravened the Act or its regulations.
After considering the criteria and all relevant evidence, the IPC ordered an AMP of $2,000. The decision noted that snooping for whatever reason, including sheer curiosity, is a serious issue and all snooping cases will be considered a significant departure from the requirements of PHIPA. The decision also noted that the clerk took minimal steps to mitigate the harm caused by the breach, and in fact admitted to being defensive and providing inconsistent information. Additionally, the number of affected patients was significant.
The IPC can also consider information in addition to the above criteria. In this regard, the decision noted that the clerk was ultimately terminated from her position, and therefore had already suffered a significant financial consequence, and would ultimately suffer reputational damage as a result of the decision. This case also did not involve any economic gain, in contrast to Decision 298. As such, the IPC noted that the quantum for the AMP ordered in this case should be lower than in Decision 298.
Key Takeaway
The case law on AMPs is still developing. As additional decisions are issued and more AMPs are imposed, the likely quantum of such penalties should become more predictable. Health professionals and organizations should review the IPC’s guidance document, pay close attention to this law as it develops, and to keep in mind that snooping (of any kind and for whatever reason) can result in monetary penalties.
Do you have questions regarding a privacy breach? Contact us for assistance.
