The Ontario Securities Commission (“OSC”) has announced a series of criminal and quasi-criminal charges following an investigation related to the misuse of confidential patient information from the Rouge Valley Health System and the Scarborough Hospital. The OSC charges stem from allegations that a RESP sales representative purchased stolen maternity patient labels from a hospital nurse over a two-and-a-half-year period. The health information of approximately 14,000 new mothers was allegedly compromised.
This comes 6 months after a separate review by the Information and Privacy Commissioner of Ontario (“IPC”) which determined that Rouge Valley Health System failed to put in place “reasonable technical and administrative safeguards to protect patient information.” In an Order issued in December 2014, the IPC found the hospital was not in compliance with its obligations under the Personal Health Information Protection Act, 2004 (“PHIPA”) and ordered the hospital to implement changes to its electronic information systems, revise its privacy and audit policies, as well as deliver privacy training to all staff.
The OSC action is independent of that of IPC, with the OSC empowered to protect investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets. It can proceed with charges before its own tribunal, or lay quasi-criminal charges under the Ontario Securities Act before a court. The latter process allows the regulator to seek jail terms of up to five years and fines of up to $5-million.
In the court proceedings, the sales representative is alleged to have used confidential patient information as a source of potential RESP investment sales leads, and has been charged with the following alleged breaches of the Criminal Code:
- Two counts of secret commissions (s. 426(1)(a))
- Two counts of forgery (s. 366(1))
- Two counts of uttering a forged document (s. 368(1)(b))
- Two counts of possession of property obtained by crime under $5000 (s. 354(1))
The nurse who allegedly supplied the patient information has been charged with the following alleged breaches of the Criminal Code:
- Two counts of secret commissions (s. 426(1)(a))
- Two counts of breach of trust by a public officer (s. 122)
- Two counts of theft under $5000 (s. 334)
The OSC investigation further alleges that another financial services company’s branch manager purchased confidential maternity information over an approximate five-year period from a former Rouge Valley Hospital clerk. The clerk had been previously charged in November 2014 with unregistered trading, contrary to s. 25(1) of the Ontario Securities Act (other individuals were also alleged to have purchased confidential maternity information from the clerk over an approximately two-year period). These charges included:
- One count of failing to act fairly, honestly and in good faith with clients, contrary to OSC Rule 31-505 and contrary to s. 122(1) of the Securities Act
- One count of participating in an unlawful referral arrangement with another person, contrary to National Instrument 31-103 and contrary to s.122(1) of the Securities Act
The hospital is also facing a class action, which until recently had been stalled pending the decision of the Ontario Court of Appeal in Hopkins v. Kay. In that case, the Court of Appeal rejected the argument that PHIPA was a comprehensive code that precluded tort claims, and held that a private plaintiff may bring a class proceeding for damages in tort. In that case, the action was against Peterborough Regional Health Centre for unauthorized access to personal health information.
The end result of all this activity is that health information custodians (and others who handle personal health information) may not only face significant civil exposure for unauthorized access to such information by a rogue employee or third party, but may also be subject to investigation by the OPC and possibly by enforcement bodies in those sectors where there exists a separate regulatory and enforcement regime.
By Kirsten Thompson, McCarthy Tétrault’s Cybersecurity, Privacy and Data Protection Group
- Budget Implementation Act passed allowing certain additional charitable partnerships - July 21, 2022
- What should charities do if they find out that a board member donated to the Freedom Convoy? - March 18, 2022
- Accepting cryptocurrency for donations or payments can be quite risky for Canadian charities unless you know what you are doing - February 23, 2022
