When an individual enters a hospital in Ontario, they can reasonably expect their medical data to be kept private and secure. Ensuring privacy is fundamental to a healthcare provider’s duty of care, or legal obligation, to their patients. But in recent years, several hospitals in the Greater Toronto Area (GTA) have experienced significant privacy breaches that have put patients – new mothers, in particular – at risk. Let’s have a look at a few significant cases, and examine why the victims had cause to launch a class action or medical malpractice lawsuit.

Rouge Valley Health System

The most prominent recent examples of hospital privacy breaches in Ontario occurred at Rouge Valley Centenary and Scarborough Hospital, both members of the Rouge Valley Health System.

In these cases, hospital employees sold the personal information, including names, phone numbers and addresses of 14,450 mothers to private companies selling Registered Education Savings Plans (RESPs) between 2009 and 2013. Patients were later contacted by sales reps from these companies.

“It was a completely inappropriate interaction that completely went against our policies. We are taking this very seriously,” said Rouge Valley spokesperson David Brazeau to the National Post in 2014. “Our patients placed their trust in us, and we sincerely apologize that this happened.”

The affected patients launched a class-action lawsuit against Rouge Valley which holds the hospital liable for $332-million in “damages for breach of contract, breach of warranty, breach of confidence, intrusion upon seclusion, negligence, and conspiracy,” according to the statement of claim. The plaintiffs are also seeking $80-million in punitive damages, for a total of $412-million.

In addition to opening the hospitals up to the possibility of a class action or medical malpractice lawsuit, the privacy breach also led to criminal charges, including several against registered nurse Esther Cruz and investment seller Nellie Acar. Both defendants pleaded guilty, and in 2016 were sentenced to house arrest, probation and more than 300 hours of community service.

“This is certainly an indication that what happened here was very, very grave and requires the most significant and substantial penalty that the criminal court can impose, and that is incarceration,” said Michael Crystal, a lawyer for the plaintiffs in the class-action suit. “For those people who have had their privacy violated in hospitals, it is a red-letter day.”

Baby Photographers

Rouge Valley Health System hospitals were also involved in a far-reaching data breach involving baby photographers. For several years beginning as early as 2009, six GTA hospitals provided patient information to Just Arrived Baby Photography Inc., a contractor that offered photography services to new mothers.

In addition to Rouge Valley facilities, privacy breaches occurred at Toronto East General, Mount Sinai, Humber River, North York General, and St. Joseph’s Health Centre. The photography company received comprehensive patient data, including dietary needs, type of delivery, and length of hospital stay.

Peterborough

The private records of 280 Peterborough Regional Health Centre patients were accessed between 2011 and 2012, including those of Erkenraadje Wensvoort, the lead plaintiff in an ongoing class action lawsuit against the hospital.

The Wensvoort-led case is of precedent-setting significance, as it determined whether patients could directly launch a class action or medical malpractice lawsuit against hospitals. The Peterborough Regional Health Centre fought to have it thrown out on the basis that Ontario’s Superior Court ‘has no jurisdiction to hear the lawsuit because under the province’s Personal Health Information Protection Act (PHIPA), personal health information privacy violations are solely the domain of the Ontario privacy commissioner,’ according to the Toronto Star.

The patients’ lawyers disagreed, arguing that the PHIPA doesn’t bar patients from initiating common-law action.

In February 2015, the Ontario Court of Appeal ruled that the plaintiffs’ suit for $5.6-million in general, punitive and aggravated damages could go ahead, and in November of that year the Supreme Court of Canada upheld that decision. The case is ongoing.

Can these breaches lead to a medical malpractice lawsuit?

Absolutely. Privacy breaches relating to confidential medical records can cause significant, tangible damages. While improper access to these records can, in some circumstances, result in monetary damage, the more likely result is emotional or psychological harm. When a person has just been released from the hospital, either as a new mother or as a patient recovering from a procedure, they are more vulnerable than they might normally be. Impositions like, in the case of the Rouge Valley data breach, aggressive telemarketing calls can cause substantial and lasting distress.

If you or a member of your family has suffered injuries as a result of a medical privacy breach, contact the team at Neinstein Personal Injury Lawyers’ Medical Malpractice Group today. We can help you assess your options and legal standing, and decide whether a medical malpractice lawsuit is your best chance for recovery.

Greg Neinstein

Greg Neinstein, B.A. LLB., is the Managing Partner at Neinstein Personal Injury Lawyers LLP. His practice focuses on serious injury and complex insurance claims, including motor vehicle accidents, slip and fall injuries, long-term disability claims and insurance claims. Greg has extensive mediation and trial experience and has a reputation among his colleagues as a skillful negotiator.
Greg Neinstein