Heather Wright/The Independent

Bluewater Health had no legal reason to collect Social Insurance Numbers from its patients.

That information is contained in a just released report by Francisco Woo, an investigator in the Office of the Information and Privacy Commissioner.

Woo’s 35-page report examines whether Bluewater Health, its IT provider TransForm Shared Services and the four other regional hospitals affected by the Oct. 22, 2023 attack followed the notification rules set out in the Personal Health Information Protection Act.

But it also talks extensively about the 20,000 SIN numbers which Daixin hackers stole from Bluewater Health’s servers and released on the dark web. After the hack, the hospital notified patients of the release of information and offered credit monitoring services for two years to prevent fraud.

But Woo’s report says lawyers for the hospital could not point to legislation which required the hospital to collect the SINs of people accessing treatment under the Workplace Safety Insurance Board.

Bluewater Health’s lawyers told the investigators since 2002, the hospital “was required to collect SINs from patients seeking treatments related to Workplace Safety and Insurance Board (WSIB) claims to properly process these claims.

“However, counsel confirmed that SIN collection was not authorized by any statute or regulation.”

Woo’s report adds “Counsel also informed the IPC that BWH collected SINs from non-WSIB patients between 1999 and 2006. However, the hospital was unable to locate former department leaders who were employed in 2006 and was unable to determine the reason for this practice.”

The IPC investigator found those 20,000 patients affect by the release of the SINs also had information such as oncology treatment records, photos of operations and procedures such as colonoscopys, residential withdrawal management patient charting and financial information related to co-payments.

Woo says the Personal Health Information Protection Act says health care providers should not collect more personal health information than is reasonably necessary. He adds while there is “an exception where collection of personal health information is required by law, BWH in this case did not provide a basis in law for collecting the patients’ SINs.”

Woo says the hospital stopped collecting SINs May 2024. The hospital also told Woo any Social Insurance Numbers collected in the past have been purged from their system.