Charges Filed in Massive Toronto Hospital Privacy Breach

8 July 2015

Doctor-patient confidentiality is about as close to sacred as any non-religious contract can be. So it’s understandable that it was greeted with outrage when a major Toronto health network revealed last year that thousands of new mothers who gave birth there had been the victims of a serious privacy breach. Their records appeared to have been stolen from the hospital and sold to financial corporations. Now, charges have been filed against the individuals and corporations involved, and are being called “the most serious consequences any health professional has faced for a privacy breach.”

“These are far more serious charges than we’ve ever seen before. They’re suggesting that the information wasn’t snooped, but sold,” lawyer Michael Crystal, who is representing the victims in a class-action lawsuit, told the Toronto Star.

Investigations into the situation began in the spring of 2014, when a printout containing patients’ names, addresses and phone numbers was found on a printer at a Rouge Valley Health System hospital in Toronto.

“[T]hat was given to management and we started investigating,” hospital spokesperson David Brazeau told the CBC.

Eventually, two employees admitted to obtaining patients’ confidential information using their patient labels and selling it to financial corporations that sold Registered Education Savings Plans (RESPs), a form of savings account for post-secondary education, allowing them to target new mothers for their sales pitches. On a few occasions, employees of the financial institutions even submitted fraudulent RESP applications using the new mothers’ information.

One of the hospital employees, nurse Esther Cruz, has now been charged with six Criminal Code offences, according to representatives from the Ontario Securities Commission. These include two counts of accepting a secret commission, two counts of theft under $5,000 and two counts of breach of trust by a public officer.

Nellie Acar, a sales representative with Global RESP Corporation, has also been charged with several crimes. Having forged RESP applications using the information stolen from the hospital, she was charged with two counts each of forgery, uttering a forged document, giving a secret commission and possession of property obtained by crime.

Three other people have also had charges brought against them, including former Knowledge First Financial Inc. branch manager Poly Edry, her spouse Gavriel Edry and former C.S.T. Consultants Inc. assistant branch manager Subramaniam Sulur.

All told, 14,000 new mothers’ information may have been stolen and sold from Rouge Valley Health System sites, including 8,000 records from its Scarborough location and 6,000 from its Ajax hospital. Ontario’s information and privacy commissioner has stated that the hospitals “failed to comply” with the laws in place to protect personal health data.

As this story demonstrates, privacy breaches can come from the most unexpected sources. In order to be better prepared in case your information is breached, you may want to look into a credit monitoring service. This will allow you to be alerted to certain activities on your credit file that may indicate fraud.