Criminal charges laid in patient records privacy breach


Criminal charges have been laid after thousands of confidential records were allegedly stolen from two Toronto hospitals and used to market registered education savings plans to new mothers.

The alleged incidents involved the Rouge Valley Health System and the Scarborough Hospital and were investigated by Ontario's financial regulator, which oversees the sale of RESPs.

One former Rouge Valley employee had already been charged in connection with the alleged misuse of patient information, but the Ontario Securities Commission said Tuesday that its investigation has lead to fresh charges against five more people.

The OSC alleges that Nellie Acar, a former sales representative for a company called Global RESP Corporation, bought stolen maternity patient labels from Esther Cruz, a registered nurse who worked at both hospitals.

It says Acar allegedly used the patient information as a source of RESP investment sales leads, and at least twice allegedly submitted false education savings plan enrolment applications through her company.

Acar is charged with two counts of secret commissions, two counts of forgery, two counts of uttering a forged document and two counts of possession of property obtained by crime, while Cruz is charged with two counts of secret commissions, two counts of breach of trust by a public officer and two counts of theft under $5,000.

In a similar case, the OSC alleges Poly Edry, a former branch manager with a company called Knowledge First Financial, bought confidential maternity information over a period of about five years from a former Rouge Valley Hospital clerk named Shaida Bandali _ who has already been charged with unregistered trading.

Bandali also allegedly sold confidential maternity information for about two years to Subramaniam Sulur, who worked as an assistant branch manager with a company called Consultants Inc.

The OSC alleges both Edry and Sulur provided the confidential information to sales representatives at their former firms as a source of potential RESP investment sales leads.

Edry and Sulur have each been charged under the Securities Act with one count of failing to act fairly, honestly and in good faith with clients, and one count of participating with an unlawful referral arrangement.

Edry's spouse, Gavriel Edry, allegedly helped with gathering and dissemination of confidential maternity information and has been charged with one count of unregistered trading.

None of the allegations have been proven in court.

The company Poly Edry worked for said the independent sales representative and her husband collaborated in ``purposeful deception.''

``We are sorry this incident has violated public trust,'' it said in a statement. ``Knowledge First Financial immediately suspended Ms. Edry, launched an internal investigation into the matter, and transitioned operations of her branch to head office.''

The company said it also completed a third party audit of its operations to make sure no other branch was involved in the alleged breach.

The Scarborough Hospital did not immediately respond to a request for comment, but a spokesman for Rouge Valley said the hospital takes the health care and privacy of its patients ``very seriously.''

``We continue to co-operate and fully support the investigation by the Joint Serious Offences Team,'' said David Brazeau.

Rouge Valley has previously said it believes its former employees may have used and disclosed information on patients who gave birth at its hospital sites between July 9, 2009 and April 5, 2014.

The alleged breach at Rouge Valley was investigated by Ontario's privacy commissioner, who found in December that the hospital failed to put reasonable safeguards in place to protect patients' privacy.

The alleged breaches also led to a proposed class-action lawsuit being filed against Rouge Valley, alleging thousands of new mothers and their babies had their personal information sold for profit.

One of the two lead plaintiffs in the proposed class action alleged she started getting aggressive sales calls the day her son was released from the hospital and the salesperson refused to identify herself. The phone number the salesperson was using was not one that could receive incoming calls, it's alleged.

The lawsuit is seeking damages of upwards of $300 million.

In an interview with, Toronto health lawyer Elyse Sunshine says the criminal charges are a significant development because it’s quite unusual that a privacy breach would result in criminal charges.

“From the time the story broke about these privacy breaches, it has been clear that the facts are quite different than in the more typical privacy breaches, which are of the snooping nature,” she tells the online legal publication.

“In this case, there was information from the beginning that suggested that these breaches were done for the express purpose of profiting, which places this kind of breach in a different category.”

Sunshine, partner at Rosen Sunshine LLP, says it’s important to note that the nurse who has been named here will likely face investigation – and perhaps a disciplinary hearing – by her own regulatory college.

“It would be surprising that she wouldn’t be investigated by the college given the fact that she has been charged criminally at this point,” she says.

Sunshine, who isn’t acting as counsel in this matter and is speaking generally, says the criminal charges signify a shift.

“There seems to be an ongoing issue that frontline workers do not comply with health care institutions' privacy policies and practices,” she says. “In this particular case, it is an extreme situation where the breach seems to have occurred for the financial benefit of the people responsible for the breach.

“And because this situation occurred, we are seeing reverberations generally in the privacy community with more and more media reports, the lawsuits brought against institutions and perpetrators of the breaches, as well as a call for prosecutions and a commitment to review the existing legislation by the privacy commissioner. This is precisely the type of privacy breach that the privacy legislation is aimed at avoiding – this is the worst-case scenario.”

- With files from

© 2015 The Canadian Press

To Read More Elyse Sunshine Posts Click Here