Brandon Harder
Regina Leader-Post
The private records of patients at the Elphinstone Medical Clinic were just laying loose on the ground in a nearby alley and an empty lot.
According to a report from Saskatchewan’s Information and Privacy Commissioner (SIPC), a person referred to as “Individual A” saw a Facebook post on Oct. 27, 2024 that referenced patient records scattered near the Regina clinic.
So, the individual went to see for themself.
Documents were found “loosely blown about,” according to the commissioner’s report, dated March 26.
“Individual A retrieved what records they could find and took them home for safekeeping,” it states.
The next day, that person reported the incident to the commissioner’s office and turned over the records they’d found. Commissioner Ronald Kruzeniski wrote that his staff too scoured the area, finding an additional document.
It also came to light that another person — “Individual B” — had noticed the Facebook post and searched the area prior to Individual A, collecting records from in and around a blue recycling bin behind the clinic.
These too were turned over to the SIPC.
“They thought they had collected about 100 pages,” the report states.
An investigation was launched and, as it turns out, a contracted cleaning employee had dumped the records into an outside bin on Oct. 26, 2024.
“The open recycling bins inside the Clinic indicated the contents were confidential and for shredding,” the report states.
Records collected by the SIPC were eventually retrieved by Nebeolisa Ezeasor, a psychiatrist associated with the clinic, and Chukwuemeka Odenigbo, also a psychiatrist and the clinic’s owner, after they were in touch with the commissioner’s office.
“My office also advised them that I would be undertaking an investigation and would be issuing a public investigation report,” Kruzeniski wrote.
Records of a sensitive, personal nature
Most of the patient records found were copies of a “Psychiatric Intake Form,” according to the report.
“The form contains the patient’s name, date of birth, names of primary care physician and counselor/therapist, and sections to indicate what issues they are currently experiencing,” the report states.
“Responses may regard risk to suicide, substance use (including illegal substances), family background/history (including names/ages of family members and details of current or past relationships), medications used, and history of trauma or abuse.”
Documents were also found containing patients’ addresses as well as health numbers, according to the report, which notes most of the documents “appear to have been dated between October 1st to 4th 2024.”
“Dr. Odenigbo and Dr. Ezeasor advised my office that of the 88 affected patients, 86 were Dr. Ezeasor’s patients, and two were Dr. Odenigbo’s,” Kruzeniski wrote, later noting they’d accepted responsibility for the privacy breach.
Containment, notification and the root cause
The commissioner’s report added that, following the breach, Ezeasor and Odenigbo immediately raised the issue with the cleaning contractor. It also noted they could’ve reached out to those who posted on Facebook and nearby residents to ask if they’d seen or collected any records.
“I find that Dr. Odenigbo did not take adequate steps to ensure the breach was fully contained,” he wrote, having noted that the breach occurred on a weekend when there was a football game near the clinic at Mosaic stadium and anyone who passed by may have come across the records.
Further, Kruzeniski found that the letters written to notify affected patients were lacking.
The letters “should have included what exact data elements were involved for each affected individual and the type of risk associated with those data elements, and that they should have also included a one-year offer of credit monitoring,” the commissioner wrote.
He also found that Odenigbo and Ezeasor “did not adequately identify the root cause of the privacy breach,” which the commissioner wrote was a “lack of sufficient administrative and physical safeguards.”
Prevention efforts
The report noted Odenigbo and Ezeasor took steps to prevent future breaches of this nature. That included placing paper shredders in exam rooms and setting any leftover paper documents in a locked drawer “pending shredding” at the end of the day (until then, they may be kept in open-topped recycling bins).
They’ve also dedicated one employee to be responsible for shredding, instead of multiple.
However, Kruzeniski recommended additional steps. These include signing confidentiality agreements with contractors and employees of contractors, as well as ensuring they’re trained on privacy.
He also recommended that affected individuals be offered one year of credit monitoring.
Additionally, he suggested Odenigbo and Ezeasor create a verification document for use when scanning records, which would include a notation on how the paper was destroyed.
Finally, he recommended they replace recycling bins in the clinic with bins that have lockable covers, or simply keep records that await shredding in a locked drawer or cabinet.
Kruzeniski’s full report is available online.
