Maamwesying North Shore Community Health Services pulled all of its health-care workers out of Thessalon First Nation last month following a privacy breach involving unauthorized access to patients’ personal health records.
A letter from the Indigenous health-care provider was sent to patients who had been impacted by the privacy breach this past March. Although it remains unclear exactly how many people were affected by the breach, sources tell SooToday it’s believed that more than 20 people who received health-care services in Thessalon First Nation had their personal health information compromised when a staff member with the First Nation accessed their files.
Approximately 113 people live in Thessalon First Nation, according to recent statistics from Crown-Indigenous Relations and Northern Affairs Canada.
“Please be reassured that there is no indication your personal health information (meaning your diagnoses, test results, clinical notes, address or contact information) was shared with anyone else,” said the letter. “The community staff member has confirmed that no copies were made and that your health record was not altered or removed from the building.”
The letter also indicated the staff member no longer had access to Maamwesying’s electronic medical record, and that the health-care provider was reviewing its privacy policies, providing mandatory privacy re-training for employees and community partners, and posting privacy information in its waiting room to ensure patients know their privacy rights.
“In the future, we will continue to focus on ongoing staff and community privacy training as a priority,” said the letter. “We will also continue privacy audits of our electronic medical records system to ensure we are notified of any unusual activity in patient files.”
Maamwesying did not respond to requests for comment made by SooToday last month.
Bruce Mills, a non-band member who lives in Thessalon First Nation, received one of the letters from Maamwesying, which informed him that his health information was accessed three times by a community health nurse between December 2023 and January 2024.
Mills stresses that he was not a patient of the nurse, who was referenced by name in the letters. SooToday has chosen not to name the staff member because an investigation is ongoing.
“I’m kind of pissed off, because obviously they’ve been into it three different times. So, they’re looking for something,” said Mills. “I mean, I don’t have nothing in there that discredits me or nothing like that, as far as that’s concerned.
“But it’s one part of your identity, which is your health number.”
If anything, Mills is grateful that Maamwesying pulled its health-care services out of the First Nation last month — even if that means he has to travel to the nearby town of Thessalon to see his doctor. “It doesn’t bother me, because I can drive to town,” he said. “Now, do I feel a little bit safer right now? Absolutely I do.”
Mills says he’s spoken with several others in Thessalon First Nation who have also received letters from Maamwesying advising them of the privacy breach.
“There are a number of them that I just talk with,” he said. “It was a pretty hot topic around here for a few days, to be completely honest with you. For the life of me, I don’t know why they would do it — I just don’t know what the end game was, other than to see if they could use it against you or something.”
Mills’ daughter-in-law, Jaime Lanteigne — a non-Indigenous resident of Thessalon First Nation, who previously worked for the First Nation in a couple of different roles — says she was “triggered” when she received a similar letter from Maamwesying, advising that her personal health records had been accessed by a community health nurse when they were unauthorized to do so. “I was just like, what is this?” said Lanteigne. “It was honestly shocking.”
Last month, Thessalon First Nation issued a statement on social media, advising its members that the “serious allegations have not been proven,” after Maamwesying informed the First Nation of the privacy breach March 14.
“Thessalon takes this matter very seriously. But allegations are not fact,” said the statement, which also indicated that the First Nation had asked Maamwesying to share the findings of its investigation. “Maamwesying did not provide any proof of its investigation,” the statement said.
Thessalon First Nation Chief Joseph Wabigwan declined to comment.
Maamwesying also used the privacy breach letter to inform patients that both the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Colleges of Nurses of Ontario (CNO) had also been notified of the privacy breach.
The CNO declined comment, citing privacy concerns. The IPC, however, confirmed with SooToday that Maamwesying North Shore Community Health Services filed a privacy breach report Feb. 23, and that an investigation into the matter is "currently in progress."
The IPC added that all health-care providers in Ontario “must have the necessary safeguards in place to detect, prevent, and reduce the risk of unauthorized access to personal health information.”
“Unauthorized access to personal health information, or snooping, is a serious issue that undermines patient trust in Ontario’s health care system,” said the IPC. “Snooping, whether motivated by curiosity, personal gain, or even concern, is unacceptable and can have devastating consequences for patients and health care professionals.”
Lanteigne initially decided to go public by posting her letter to social media out of frustration, upon learning that her personal health information had been accessed for no apparent reason by a Thessalon First Nation staff member.
“I can deal with a lot of stuff — but when you’re creeping on my personal information, I have issues,” she said.