• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Hospital privacy breach results in OSC laying charges

By Occasional Contributors | 3 Minutes Read November 25, 2015

Hospital privacy breach results in OSC laying charges

privacyThe Ontario Securities Commission (“OSC”) has announced a series of criminal and quasi-criminal charges following an investigation related to the misuse of confidential patient information from the Rouge Valley Health System and the Scarborough Hospital. The OSC charges stem from allegations that a RESP sales representative purchased stolen maternity patient labels from a hospital nurse over a two-and-a-half-year period. The health information of approximately 14,000 new mothers was allegedly compromised.
This comes 6 months after a separate review by the Information and Privacy Commissioner of Ontario (“IPC”) which determined that Rouge Valley Health System failed to put in place “reasonable technical and administrative safeguards to protect patient information.” In an Order issued in December 2014, the IPC found the hospital was not in compliance with its obligations under the Personal Health Information Protection Act, 2004 (“PHIPA”) and ordered the hospital to implement changes to its electronic information systems, revise its privacy and audit policies, as well as deliver privacy training to all staff.
The OSC action is independent of that of IPC, with the OSC empowered to protect investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets. It can proceed with charges before its own tribunal, or lay quasi-criminal charges under the Ontario Securities Act before a court. The latter process allows the regulator to seek jail terms of up to five years and fines of up to $5-million.
In the court proceedings, the sales representative is alleged to have used confidential patient information as a source of potential RESP investment sales leads, and has been charged with the following alleged breaches of the Criminal Code:

  • Two counts of secret commissions (s. 426(1)(a))
  • Two counts of forgery (s. 366(1))
  • Two counts of uttering a forged document (s. 368(1)(b))
  • Two counts of possession of property obtained by crime under $5000 (s. 354(1))

The nurse who allegedly supplied the patient information has been charged with the following alleged breaches of the Criminal Code:

  • Two counts of secret commissions (s. 426(1)(a))
  • Two counts of breach of trust by a public officer (s. 122)
  • Two counts of theft under $5000 (s. 334)

The OSC investigation further alleges that another financial services company’s branch manager purchased confidential maternity information over an approximate five-year period from a former Rouge Valley Hospital clerk. The clerk had been previously charged in November 2014 with unregistered trading, contrary to s. 25(1) of the Ontario Securities Act (other individuals were also alleged to have purchased confidential maternity information from the clerk over an approximately two-year period). These charges included:

  • One count of failing to act fairly, honestly and in good faith with clients, contrary to OSC Rule 31-505 and contrary to s. 122(1) of the Securities Act
  • One count of participating in an unlawful referral arrangement with another person, contrary to National Instrument 31-103 and contrary to s.122(1) of the Securities Act

The hospital is also facing a class action, which until recently had been stalled pending the decision of the Ontario Court of Appeal in Hopkins v. Kay. In that case, the Court of Appeal rejected the argument that PHIPA was a comprehensive code that precluded tort claims, and held that a private plaintiff may bring a class proceeding for damages in tort. In that case, the action was against Peterborough Regional Health Centre for unauthorized access to personal health information.
The end result of all this activity is that health information custodians (and others who handle personal health information) may not only face significant civil exposure for unauthorized access to such information by a rogue employee or third party, but may also be subject to investigation by the OPC and possibly by enforcement bodies in those sectors where there exists a separate regulatory and enforcement regime.
By Kirsten Thompson, McCarthy Tétrault’s Cybersecurity, Privacy and Data Protection Group

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • Ontario Court decision is first donor advised fund case and provides some certainty about DAFs - January 31, 2023
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022
  • How much should a Canadian registered charity spend on administration? - November 30, 2022

Article by Occasional Contributors / Business, Information Technology, Privacy / criminal and quasi-criminal charges, cybersecurity, data protection, health information custodians, Ontario Securities Act, Personal Health Information Protection Act 2004, privacy breach, The Ontario Securities Commission

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy