Ontario Government AI: Unsecured Data and Hallucinating Medical Tools

The scale of the personal data exposure is extraordinary. 12,000 Ontario Public Service employees were uploading citizens' most sensitive information — health cards, driver's licences, credit card numbers, vendor contracts — to commercial AI websites rated unsafe or unsecured, with no controls in place to stop them. Ontarians never consented to their personal data being processed by foreign commercial AI services. The government had no procurement framework, no security review process, and no audit trail. As Canada's National Observer reported, the watchdog found the Ministry had simply not implemented the controls that would have prevented this from happening.

The medical AI findings represent a direct patient safety risk. Of 20 approved AI scribe systems tested by the Auditor General, nine fabricated clinical information including treatment suggestions that were never discussed, twelve recorded wrong medication details, and seventeen missed important mental health information. As Global News reported, these tools were already in active use in Ontario healthcare settings when the audit was conducted — meaning patients may have received care based on AI-generated records containing fabricated or missing information, without knowing it. The 17-out-of-20 failure rate on mental health details is particularly alarming given Ontario's ongoing mental health crisis and the consequences of missed diagnoses.

The government's procurement failure compounds both problems. Deploying AI tools in clinical settings — where errors can directly harm patients — without adequate pre-deployment testing represents a fundamental breakdown of the government's duty of care to both patients and healthcare providers. CTV News reported that no approved AI procurement framework existed at the time these tools were approved for clinical use. The Auditor General's full performance audit documents the absence of governance structures that should have been in place before any AI tool touched patient data or government records.

This is part of a broader pattern of technology governance failure under the Ford government. The FOI transparency scandal revealed that the Premier's office used Google Docs and personal Gmail accounts to conduct government business — a deliberate circumvention of Freedom of Information laws. Across both scandals, the common thread is a government that has repeatedly used or misused technology to avoid accountability, whether by routing decisions outside official channels or by deploying AI tools with no framework for oversight, testing, or transparency.

Patients across Ontario have no way of knowing whether AI-generated content in their medical records is accurate. The AI scribe tools found to fabricate diagnoses, prescribe wrong medications, and miss mental health details were already in active clinical use when the audit was conducted. Wrong prescription records could affect future treatment decisions, drug interaction assessments, and insurance claims. Missed mental health details could result in inadequate follow-up care. As the Auditor General's report makes clear, these systems were deployed without the testing that would have caught these failures before they reached patients.

Citizens whose personal data was uploaded to unsecured AI websites have no recourse and — critically — no notification. The government has not disclosed which individuals' data was exposed, which AI services received it, or what those services may have done with it. Health card numbers, driver's licence information, and financial data uploaded to foreign commercial AI platforms may have been retained, used for model training, or exposed to third parties. Ontario's privacy framework does not require public disclosure of this type of diffuse, ongoing data exposure, leaving affected citizens without the information they would need to protect themselves. As CP24 reported, the auditor found no controls had been implemented to prevent the uploads.

The absence of an AI governance framework means these problems will persist. Ontario has no mandatory AI impact assessments, no disclosure requirements for AI use in healthcare settings, and no audit trail for AI-generated clinical notes. Without legislative requirements for pre-deployment testing of AI tools in high-stakes settings, procurement decisions will continue to be made without the safeguards that patients and the public require. The Auditor General's report documents a policy vacuum at the centre of the government's approach to AI — and until that vacuum is filled with binding rules, the same failures can recur in any ministry, hospital, or clinic that adopts the next generation of AI tools.