Daily BrewHospital employees fired for selling new moms’ personal information to companies promoting RESPS
A massive leak of personal information about patients at a suburban Toronto hospital raises this question: How much can any privacy regulation immunize us from the greed or venality of others?
Two employees at Rouge Valley Centenary Hospital in Scarborough have been let go after it was learned they funneled the names, addresses and phone numbers of some 8,300 new mothers to companies peddling registered education savings plans.
The hucksters then bombarded the families with solicitations to buy RESPs for their new offspring.
“They say, ‘Do you have children? Do you want an RESP?’” Theeban Nanthakumar, whose wife gave birth to three daughters at the hospital, told the Toronto Star.
The hospital's administrators initially decided against calling in police, opting instead to inform the office of Ontario's privacy commissioner and the Ontario Securities Commission, because it involved the sale of RESPs.
They were the two "most appropriate authorities," hospital public affairs director David Brazeau told Yahoo Canada News.
But the hospital has since changed its mind after getting legal advice and passed the names of the two staffers, who Brazeau said "no longer worker here," to police. They could investigate an alleged breach of Ontario's Personal Health Information Protection Act.
Legally protecting you from an information breach
Under Section 72 of the decade-old law, it's an offence for anyone to willfully collect, use or disclose personal health information, with individuals facing a maximum fine of $50,000 and for organizations $250,000.
The privacy breaches allegedly took place between 2009 and 2013, when one of those involved came forward and admitted they were being paid to turn over the information.
The hospital sent out letters to the affected patients and posted a notice on its web site last week.
[ Related: Airdrie lab worker guilty of peeking into health records ]
The hospital won't say where the implicated employees worked.
“They were on the paper side. They were not direct health-care providers," Brazeau told Yahoo Canada News in an interview. "They were accessing information that is appropriate for their jobs, so we can provide health-care services.
"But where the breach occurred is when they sent it out externally. That was a clear breach of our policy, obviously, and just of principled behaviour that we expect from staff members.”
When to get the police involved?
Halifax privacy lawyer David Fraser said he was surprised the hospital didn't call the cops immediately.
“I would think there would be a real enthusiasm to charge someone for doing this on the part of the hospital, on the part of the privacy commissioner, if charges could be laid," he told Yahoo Canada News.
“I would think the consensus would be that an employee doing this for personal profit or personal gain is a significant breach of trust.”
While there have been other prosecutions in Canada for unauthorized access or dissemination of private health information, the scope of this breach makes it a "real outlier.," according to Fraser.
"This is the first case of its type coming out of a medical environment, at least in Canada," he said.
Investigating the information leak
Ontario Information and Privacy Commissioner Dr. Ann Cavoukian said in a statement Wednesday her office has launched a major investigation into the breach, adding that so far it appears the hospital acted appropriately by terminating the employees involved.
"However, as we continue the investigation, we will be looking at the steps taken to ensure that this does not occur again in the future," she said. "It appeared to be an isolated incident when first reported it to us, but this is clearly not the case."
Cavoukian said there's no evidence so far that other Ontario hospitals may have suffered breaches but investigators will look at whether the Rouge Valley employees had access to other patient records via the province's shared electronic health records.
Fraser said the incident points to the particular vulnerability of increasingly digitized and widely shared health records.
Federal and provincial legislation places restrictions on who has access to all kinds of information we entrust to public institutions, and most provinces have specific laws to safeguard sensitive health data, he said.
Who can see your information?
Information in the health sector presents a real challenge because so many people have legitimate reasons to access records. The protocols used by other parts of the public sector to ensure only authorized persons can see confidential information don't work when all sorts of health care providers need timely access.
"By default, everybody who could be involved in the care of a patient has general access based on their role," Fraser said.
"It means there are thousands of people who potentially have access to information because there’s thousands of people who potentially have need to have access to it. Putting a barrier in place and a process to get through it could in fact jeopardize patient care.”
But the need to avoid having a gatekeeper delay access to health information also increases the potential for misuse, as at Rouge Valley.
"And because you’re talking about health information the possible consequences of abuse are pretty significant," Fraser observed.
The solution is to tighten the number of individuals who have access to the information and conduct regular audits to ensure the system is not abused, he said.
“The technology’s actually developing to automate that system to show any sort of outliers," said Fraser.
Some jurisdictions send out yearly lists to patients showing who has accessed their records, inviting them to challenge anyone they think should not have seen them to justify their access, Fraser said.
Software is also being developed that looks for anomalies in patterns of access, for instance if a hospital records clerk accesses 150 files a week when the average should be 60.
[ Related: Anti-snooping legislation to protect health info coming to Sask. ]
Electronic records provide clear benefits to health care, said Fraser, but also bring increased risks to privacy.
"It’s a matter of what steps can you take to mitigate those increased risks," he said. "The technology is certainly evolving."
Better policing of personal information
Meanwhile, the advent of health information privacy laws in the last 15 years has led to an uptick in prosecutions when breaches are discovered, said Fraser.
An Edmonton druggist was fined $15,000 in 2011 for posting personal health information on Facebook about several people she was quarrelling with, the National Post reported.
A clerk at the Vancouver Coastal Health Authority was fired but apparently not prosecuted for snooping in the medical records of some local media personalities simply out of curiosity, The Canadian Press reported in 2012.
It sometimes sets privacy law against labour law covering employees' rights, Fraser said. Hospitals that have wanted to fire someone for a proven privacy breach end up settling for lesser discipline imposed by an arbitrator when the dismissal is challenged.
Trell Huether, a spokesman for Cavoukian's office, told Yahoo Canada News it's up to the provincial attorney general to decide whether someone should be prosecuted for violating Ontario's health information law following the commissioner's investigation or a complaint by the hospital.
Individuals affected by a privacy breach can also sue for damages under Section 65 of the act, he noted. Brazeau said he's not aware of whether any of the thousands of patients targeted in this breach are planning to sue.
However, a civil action seems likely.
“This case is a worst-case scenario, because there is intentional access, there is obviously a number of employees involved, but there was also commercial dissemination,” lawyer Michael Crystal, representing patients in two class-action suits over privacy breaches at other Ontario hospitals, told the Star.
