Privacy watchdog makes several recommendations after data breach involving Otter.ai
An Ontario hospital's privacy breach involving an AI transcription tool reveals how organizational oversights can undermine even the strongest data protection intentions.
According to an investigation into the incident, the breach resulted from "two critical security gaps."
First, a former physician used his personal email address in a meeting group, contrary to hospital policy. Second, the meeting organizer did not remove the physician from the meeting invite following his departure in June 2023, according to the Information and Privacy Commissioner of Ontario.
As a result, when the physician installed Otter.ai on a personal device in September 2024, the transcription tool was able to access the rounds meeting invite via the physician's personal digital calendar.
On Sept. 23, 2024, the AI tool automatically joined a virtual hepatology rounds meeting attended by hospital physicians, according to the IPC. The breach went undetected until a meeting summary and access to a transcript of the recording was automatically emailed to participants after the meeting.
Otter.ai — which uses artificial intelligence to transcribe spoken words into text and is designed to allow users to obtain detailed meeting notes and summaries — distributed the sensitive material automatically.
The exposure of protected health information was substantial. The IPC reported...
As we await more details about CBP’s latest murder in Minneapolis, I wanted to point to an attempt by DOJ to get a writ of mandamus because Magistrate Judge Douglas Micko denied five of eight arres...