Search Français Dial-Up & Satellite

• About the Office

• Ombudsman Division

• Access and Privacy Division
  • FIPPA
    • FIPPA FAQ
    • Make a FIPPA complaint
    • FIPPA Practice Notes and Guidelines
    • FIPPA Audit Reports
    • FIPPA Investigation Reports
    • Longer Extensions Under FIPPA
      • Longer Extensions Form
  • PHIA
    • PHIA FAQ
    • Make a PHIA complaint
    • PHIA Investigation Reports
    • PHIA Practice Notes and Guidelines
  • Brochures, Fact Sheets and Guides
  • Privacy Impact Assessment
  • Privacy Breach Resources
  • Identity Theft
  • FIPPA and PHIA Reviews
  • Events
    • Lunch and Learn Sessions
    • Data Privacy Day
    • Right to Know Week
  • Federal, Provincial, Territorial
  • Links

PHIA Investigation Reports

Upon completion of our investigation of an access or privacy complaint under PHIA, we provide a report to the complainant and the public body/trustee containing our findings and any recommendations the ombudsman considers appropriate about the complaint.

In cases where we have made recommendations, the act requires that we make our recommendations available to the public and we may do so by publishing them on a website. We are publishing our reports containing recommendations along with our summary of the response to the recommendations by the public body/trustee.

We are also publishing selected investigation reports issued by the ombudsman in cases where recommendations were not made. These reports contain our findings about how specific provisions of the act are applied.

Note: A web version of a report may have been edited from the original version. 

Reports are available in alternate formats upon request.

Reports with Recommendations and Response

• Case 2020-0184 – 2023-06-23

  Manitoba Conservation and Climate. Provisions under FIPPA: 2, 36(1), 36(2), 37(2), 49. Provisions under PHIA: 2, 13(1), 13(2), 28. Our office received complaints from the public about Conservation and Climate's collection of personal and/or personal health information through its online elicensing system for the sale of various wildlife, fisheries and other outdoor licences and permits. Our office notified the department that we initiated an investigation to determine if the collection of personal and/or personal health information by the elicensing system is compliant with FIPPA and PHIA. The elicensing system is structured as a two-step process: first, a person or business must set up an online “customer account.” Second, a person or business may purchase various licences and permits through their customer account. Both steps of the process require the collection of personal and/or personal health information for distinct purposes. Our investigation found that the department’s elicensing system contravenes FIPPA and PHIA in that it collects more personal and/or personal health information than is reasonably necessary in the first step of the process, the creation of a customer account. We also found that while the department initiated a Privacy Impact Assessment (PIA), it was not completed prior to implementing the elicensing system and the department has not established what information is necessary to set up a customer account or what information is necessary for the distinct and separate action of purchasing different licences or permits. Therefore, our office made five recommendations to the department. In response to receiving the report and the ombudsman’s recommendations, the department accepted the recommendations.

  case-2020-0184-en-en-1.pdf
  973.63 KB
  

  Download
• Case 2020-1304 – 2021-04-29

  Manitoba Families. This case concerned a privacy breach involving the personal health information of 8,900 children receiving services from the Children’s disAbility Services (CDS) program of Manitoba Families. The children’s personal health information was unintentionally disclosed in a misdirected email to about 100 service agencies and community advocates. 

  case-2020-1304-en.pdf
  1.12 MB
  

  Download
• Case 2014-0500 – 2017-12-12

  Manitoba Health, Seniors and Active Living (MHSAL); unauthorized access to personal health information in the databases of the Provincial Drug Program (PDP) branch; privacy investigation – collection, use, disclosure, security; ombudsman found that the department failed to respond in a timely way to the incidents of unauthorized access by one of its employees and that the department did not, at the time, have in place sufficient policies, procedures and other safeguards to meet its obligations under PHIA.

  case-2014-0500-en.pdf
  594.45 KB
  

  Download
• Case 2013-0419 – 2015-03-03

  Health professional (psychologist); refusal of access in response to an individual’s request to view and receive copies of the individual’s own personal health information; provisions 7(1)(a), 7(1)(c) and 11(1); ombudsman found that the trustee did not respond to the request and did not provide reasons for refusing access; trustee did not accept the ombudsman’s recommendations and the matter was referred to the information and privacy adjudicator for review.

  Read the Information and Privacy Adjudicator Decision issued March 23, 2015

  case-2013-0419-en.pdf
  389.02 KB
  

  Download
• Cases 2011-0513 and 2011-0514 (Report on Compliance with Recommendations) – 2014-04-29

  CancerCare Manitoba; report on compliance with recommendations issued in 2012. In September 2013 CancerCare reported to the ombudsman that it had completed implementation of all the recommendations contained in the report.

  cases-2011-0513-0514-web-version-en.pdf
  59.09 KB
  

  Download
• Cases 2011-0513 and 2011-0514 – 2012-09-12

  CancerCare Manitoba; use of personal health information and security of personal health information; provisions 18, 19, 20, 21, 39, 60, 63, 64 of The Personal Health Information Act; 2, 4, 5, 6, 7, 8 of the Personal Health Information Regulation; and Manitoba Health's Guideline for Auditing Records of User Activity; ombudsman found that the employee's use of personal health information contravened PHIA and that additional measures should be taken to protect electronic health information.

  cases2011-0513-0514-en.pdf
  160.52 KB
  

  Download
• Case 2011-0079 – 2011-11-28

  Flin Flon Clinic; failure to destroy personal health information in a secure manner; provisions 17(1), 17(2), 17(3), 25(3) and Regulation 245/97; ombudsman found that the trustee was not in compliance with PHIA regarding destruction of personal health information.

  case2011-0079-en.pdf
  52.16 KB
  

  Download

Access Reports

• Case 2014-0153 – 2015-03-17

  St. Boniface General Hospital; complaint about unreasonable fee for access to personal health information; provision – section 10; ombudsman found that the fee was reasonable in the circumstances.

  case-2014-0153-en.pdf
  210.63 KB
  

  Download
• Case 2014-0451 – 2015-03-17

  Health Sciences Centre; refused access to a hospital in-patient’s chart within the 24 hour time frame as set out in PHIA; provisions 6(1)(a), 6(1.1) and 6(3); ombudsman found that the complaint was supported.

  case-2014-0451-en.pdf
  50.75 KB
  

  Download

Privacy Reports

• Case MO-00783 – 2023-08-31

  Manitoba Families. Follow-up on the status on the department’s implementation of nine privacy breach recommendations identified in Manitoba Ombudsman’s April 2021 Children’s disAbility Services (CDS) systemic investigation. The investigation concerned a privacy breach where the personal health information of 8,900 CDS service recipients was unintentionally disclosed. Our office determined that Families has fully implemented seven of nine recommendations, and needs to take further actions on two recommendations.

  case-mo-00783-en-en.pdf
  441 KB
  

  Download
• Case MO-00342 – 2023-08-30

  Manitoba Health and Manitoba Consumer Protection and Government Services; review of the privacy implications of the province’s immunization card initiative, a public health response to Covid-19. Manitoba Ombudsman found that the collection, use, and disclosure of personal health information by the departments for the initiative was authorized under PHIA, including being limited to the minimum amount reasonably necessary to accomplish the purpose. Participation was initiated by the individual and was based on informed consent. Written agreements and other security safeguards were in compliance with the requirements of PHIA. The departments made use of tools, such as a privacy impact assessment (PIA), to assist in understanding privacy implications during the development of the initiative and was encouraged by the ombudsman to conduct a PIA for any new uses of initiative technology or personal health information. The ombudsman noted the importance of having a decommissioning plan when the personal health information collected no longer serves a public health purpose.

  case-mo-00342-en-en.pdf
  1.5 MB
  

  Download
• Case 2018-0195 – 2021-01-19

  Winnipeg Regional Health Authority. Provisions 20(1), 20(2), 20(3), 21. A nurse at Grace General Hospital inappropriately accessed 1756 patient records in the Winnipeg Regional Health Authority (WRHA) Emergency Department Information System (EDIS). The nurse accessed the EDIS records by using login credentials that she had obtained while working in an emergency department at a different employer, Seven Oaks General Hospital. At the time the records were accessed, the nurse was not providing care to emergency department patients at Grace General Hospital and did not have an employment need to access the records. The WRHA conducted an internal investigation of the breach and reported the breach to our office. Our review of the WRHA investigation and response found that the WRHA took reasonable and appropriate steps to address this breach.

  case-2018-0195-en.pdf
  272.52 KB
  

  Download
• Case 2019-0266 – 2019-09-26

  Workers Compensation Board. Provisions 19.1(1), 19.1(2), 20(1), 22(1)(b). A worker complained that her personal health information was disclosed by the Workers Compensation Board (WCB) to her employer as part of the process for a reconsideration of an adjudicator’s decision. The complainant consented to the disclosure of the claim file information, however after the disclosure was made, the WCB determined that it would not be proceeding with a reconsideration. Our office found that the disclosure was authorized under PHIA as it was made with the consent of the worker and while the reconsideration process was ongoing. In the course of our investigation, we raised questions about the process for disclosure to an employer during a reconsideration or review, and also about the timeliness of the retrieval of the information after it has been sent to an employer but it has been determined that a review or reconsideration will not proceed. The WCB reviewed the employer file access process with relevant staff and advised staff of the importance of retrieving claim file information as soon as possible in the event the appeal does not proceed. The WCB will also conduct a review of its policies relating to disclosure of file information to employers, which will be from a privacy perspective.

  case-2019-0266-en.pdf
  249.50 KB
  

  Download
• Case 2017-0143 – 2019-04-23

  Winnipeg Regional Health Authority. This case concerned a privacy breach involving the personal health information of 91 patients who received magnetic resonance imaging (MRI) scans within the Winnipeg Regional Health Authority (WRHA) between 2008 and 2016. The patients’ health information was disclosed in violation of PHIA to several media organizations. The ombudsman found that the WRHA responded appropriately to the privacy breach. The ombudsman was not able to determine the identity of the person(s) who made the unauthorized disclosures to media organizations and was not able to determine whether the breach originated within the WRHA. However, the review identified several measures that trustees should consider in an effort to minimize the risk of intentional or inadvertent privacy breaches in the case of bulk disclosures of personal health information.

  case-2017-0143-en.pdf
  589.49 KB
  

  Download
• Case 2017-0479 – 2018-12-17

  Victoria General Hospital. Provisions considered: 18(1), 19. While attending the Victoria General Hospital for a medical procedure, a nurse collected an individual’s medical history through a verbal discussion in a semi-public area of the hospital, where others could hear the discussion. The individual complained about the hospital’s failure to safeguard her personal health information. Our office found that the hospital did not adequately protect personal health information from the risk of inadvertent unauthorized disclosure, and we supported the complaint. During our investigation, the hospital made changes to the layout of the unit to provide greater physical and visual separation of patients during the intake procedure. Our office concluded that because of these changes, the hospital implemented reasonable safeguards to protect personal health information discussed with patients during the intake process.

  case-2017-0479-en.pdf
  200.88 KB
  

  Download
• Case 2018-0299 – 2018-11-13

  Manitoba Public Insurance. Provisions considered: 19.1(1), 20(1), 20(2), 22(2)(k), 22(2)(o), 22(3). An individual made an injury claim with Manitoba Public Insurance (MPI) and subsequently appealed MPI’s decision to the Automobile Injury Compensation Appeal Commission (AICAC). As part of the appeal process, MPI provided copies of four reports containing the individual’s personal health information to AICAC. In a complaint to our office, the individual alleged that MPI disclosed his personal health information to AICAC without his consent, and therefore was contrary to PHIA. Our office found that the disclosure of the individual’s personal information was authorized. The complaint was not supported.

  case-2018-0299-en.pdf
  247.84 KB
  

  Download
• Case 2017-0297 – 2017-12-20

  Health-care facility; collection of information about an individual’s religion; provision 13(1); ombudsman found that the collection of information about the individual’s religion was not necessary for the purpose of providing health care. The hospital agreed to implement procedures to limit the collection of this information to circumstances that may reasonably involve the provision of spiritual care to patients.

  case-2017-0297-en.pdf
  398.20 KB
  

  Download
• Case 2015-0142 – 2016-11-30

  Appeal Commission (Workers Compensation Board); disclosure of personal health information by the commission to the complainant’s former employer; provisions 20(1), 20(2), 22(2)(o); ombudsman found that the disclosure was authorized under clause 22(2)(o) of PHIA and that the disclosure was not limited as required under subsections 22(2) and 22(3) of PHIA.

  case-2015-0142-en.pdf
  333.70 KB
  

  Download
• Cases 2015-0352, 2015-0353, 2015-0354 – 2016-11-30

  Health services agency; unauthorized collection, use and disclosure of personal health information by the complainant’s employer, a Winnipeg health services agency; provisions 13(1), 13(2), 14(1), 14(2)(a)(c.1), 20(2)(3), 22(2)(n); ombudsman found that the collection of personal health information was authorized under clauses 13(1)(a) and (b) of PHIA, that the indirect collection from someone other than the complainant was authorized in the circumstances of this complaint, and that routine indirect collection of personal health information is not suggested or recommended as this is inconsistent with clause 14(1) of PHIA. The ombudsman found that the use of the complainant’s personal health information by the agency was in compliance with PHIA and that disclosure of the complainant’s personal health information to his union without express consent was authorized under clause 22(2)(n) of PHIA in the particular circumstances of this complaint.

  cases-2015-0352-0353-0354-en.pdf
  469.82 KB
  

  Download
• Case 2014-0050, 2014-0052 and 2014-0254 – 2015-03-17

  Manitoba Public Insurance; unauthorized collection, use and disclosure of personal health information; provisions 13(1), 13(2), 20(2), 22(2)(o); ombudsman found that there had been an unauthorized collection of personal health information and subsequent unauthorized use and disclosure of the personal health information.

  case-2014-0050-0052-0254-en.pdf
  85.38 KB
  

  Download
• Case 2014-0053 – 2015-03-17

  Appeal Commission (Workers Compensation Board); disclosure of personal health information by the commission to an individual’s employer; provision 22(2)(o); ombudsman found that PHIA permits disclosure of personal health information where authorized or required by an enactment of Manitoba or Canada, in this case The Workers Compensation Act.

  case-2014-0053-en.pdf
  52.28 KB
  

  Download
• Case 2014-0012 – 2014-04-29

  Misericordia Health Centre and Misericordia Health Centre Foundation; disclosure of personal health information; provisions clause 22(2)(f) and subsections 23.2(1)(2) of PHIA and subsection 8.1(4) of the Personal Health Information Regulation; ombudsman found that the trustee had authority under PHIA to have disclosed the information to the foundation, however, the trustee did not fully comply with the requirement to give notice about the disclosure of personal health information to its charitable foundation for fundraising purposes.

  case-2014-0012-web-version-en.pdf
  66.39 KB
  

  Download
• Cases 2013-0111 and 2013-0113 – 2014-04-29

  Winnipeg Regional Health Authority; use and disclosure of personal health information by an employee of the Winnipeg Health Sciences Centre; provisions 18(1), 19, 21(a), 22(1); ombudsman found that the employee's use and disclosure of the personal health information was carried on outside the employee's work related duties and was therefore not authorized by PHIA.

  cases-2013-0111-0113-web-version-en.pdf
  117.79 KB
  

  Download
• Case 2013-0016 – 2013-06-04

  Workers Compensation Board; disclosure of personal health information (prescribed medications) to an employer, in respect of an appeal filed by the complainant; provision 22(2); ombudsman found the complaint supported as the disclosure of personal health information to the complainant’s employer was not authorized under PHIA.

  case-2013-0016-en.pdf
  25.64 KB
  

  Download