The laptop, which contained patient names, birthdates and diagnostic reports, was stolen from a lab used to test brain activity.
The lab was locked, but the laptop was neither encrypted nor password-protected.
"We have a policy for protection and in this instance it just was not protected," Ann Ford, chief privacy officer for the William Osler Health System, told CBC News.
A commenter at PHIprivacy.net explained that the hospital does "require encryption on any device that stores PHI. The problem is that clinicians will work directly with vendors, without the involvement of IT, and acquire systems that do not conform to policy. It used to happen very often, and this is likely one of those cases."
Patients who were tested between January 2011 and January 2014 are affected, and are currently being notified of the breach.
"We think that there's no further action they need to take," Ford told CBC News. "But, however, if they feel comfortable contacting their financial institution we leave that up to them."
In response to the incident, the hospital is now securing all laptops with cable locks.
Photo courtesy of Shutterstock.