In a letter dated October 27, 2025, the Information and Privacy Commissioner of Ontario (the “IPC”) addressed a self-reported breach (“Breach”) by an Ontario hospital under the Personal Health Information Protection Act (“PHIPA”). The Breach involved the inadvertent recording of personal health information by an artificial intelligence (“AI”) transcription tool during virtual hepatology rounds attended by hospital physicians (Reported Breach HR24-00691). The Breach illustrates the potential privacy risks posed by unapproved AI tools.
During a virtual hepatology rounds meeting held on September 23, 2024, the rounds were automatically recorded and transcribed by Otter.ai, an AI-powered meeting transcription tool (“AI Tool”) that had not been approved for use by the hospital. Although the physician associated with the AI Tool account had left the hospital more than a year earlier, two security failures had allowed the AI Tool to access the meeting: (1) the former physician had used his personal email address instead of his work email address in the meeting group, contrary to hospital policy and (2) the meeting organizer never removed the physician from the calendar invite after he left the hospital.
As a result, the AI Tool used the invitation sent to the departed physician’s personal email address to join the meeting without notice, to record it and to generate a transcript, which captured the personal health information of seven hospital patients including their names, sex, diagnoses and treatment information. The AI Tool then emailed the transcript to the meeting participants, bringing the Breach to the hospital’s attention. The hospital reported the breach to the IPC and then took steps to contain the Breach and to prevent future similar incidents including: cancelling the invitation sent to the AI Tool to prevent it from attending future meetings; identifying meeting attendees and requiring them to delete the transcript from all systems and devices; directing the removal of the AI Tool and similar tools from any devices associated with the hospital; blocking AI scribe tools on its network; and updating training and policies to expressly prohibit the use of unapproved AI applications. It should be noted that 12 meeting participants also appeared to have left the hospital and never responded to the hospital. The hospital also took steps to notify the affected patients or their estates, where applicable.
In addition to the containment and remediation steps taken by the hospital, the IPC made several additional recommendations. These included requiring the hospital to directly request the AI Tool to delete the personal health information collected from the September 23, 2024 meeting and updating its privacy breach protocol to require the hospital to directly contact other third party vendors in case of future similar incidents; update the hospital’s Acceptable Use Policy to prohibit the use of non-hospital approved devices to conduct hospital-related work; strengthening offboarding processes to revoke individuals’ access to systems and calendar invitations once they have left the organization; mandating virtual meeting “lobbies” where PHI is discussed to manually approve each participant, and enhancing AI governance and accountability frameworks.
This Breach clearly underscores the need for all charities and not-for-profits that handle personal information and/or personal health information to carefully manage and govern the use of AI convenience tools to mitigate the significant privacy risk they create. Charities and not for profits should implement robust Acceptable Use Policies as well as rigorous access controls, offboarding, and meeting practices in order to avoid similar incidents.
Read the January 2026 Charity & NFP Law Update[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]