Privacy breach highlights need to enforce policies

The privacy breach at a Scarborough hospital demonstrates the need for health-care institutions to not only have privacy policies in place, but to fully enforce them, Toronto health lawyer Elyse Sunshine tells the Toronto Star.

“It’s a wake-up call for everybody else,” Sunshine, partner with Rosen Sunshine LLP, says in the article.

She tells this situation is a "good reminder for health-care providers that if their policies are not enforced, if their staff don't have appropriate training or if they don't self-audit their privacy practices, they will be ill-equipped to respond to an investigation.

"Breaches may occur – it's hard to guard against intentional actions by rogue employees – but custodians of health information need to be able to say they have done everything in their power to prevent a breach. Hopefully, the hospital has done that."

The Star is reporting that officials at Rouge Valley Centenary called Toronto police about two former employees who leaked patient contact information and were allegedly paid to do so by private companies.

"The contact records of as many as 8,300 patients, mostly new mothers, were used to try to sell the parents Registered Education Savings Plans in the days after they gave birth at the hospital," says the Star article.

The newspaper says Ontario’s privacy commissioner is also investigating the possibility that the two Rouge Valley employees had access to the patient records of other hospitals through a shared electronic health record.

St. Michael’s Hospital in Toronto has said it has launched its own internal investigation after hearing from a woman who said she was contacted by a private RESP seller after she gave birth at the hospital, says the Star.

"The Ontario Securities Commission is also investigating the matter, and could potentially lay quasi-criminal charges or bring fines of up to $1 million against individuals or companies engaged in conduct contrary to the public interest," says the article.

In an interview with, Sunshine notes the privacy commissioner, in conducting her investigation, will be interested in examining whether the hospital had appropriate policies and procedures in place, whether there were enforced, whether staff who managed personal health information had adequate training and education on privacy, as well as whether the hospital had a "culture of privacy."

She says the commissioner will look closely at how the breach occurred and why it occurred.

"You really have to have this culture of privacy and if you don't, it's just not going to be tolerated anymore," she says.

Sunshine says this case is a little different from other breaches that have occurred in Ontario and says the circumstances in this leak may set the stage for changes, not only to privacy practices, but in caps for damages currently in place for privacy breach cases in civil court.

"I'm not aware of any cases in Ontario where those responsible for the breach have sold the information for profit – I think this is a new one," she tells the online legal news service. "Because this has the nuance where somebody has actually made a profit, it may change things.

"This could make for a very interesting civil case and certainly, it will be interesting to review the privacy commissioner's findings."

To Read More Elyse Sunshine Posts Click Here