Toronto Hospital Privacy Breach: A Year Later

24 April 2016

Last spring, nearly 14,000 expecting mothers at a Toronto hospital left as more than new parents – they left as victims of Canada’s latest privacy breach. In the weeks that followed, the story emerged: A nurse in Rouge Valley Hospital’s maternity department was among five people charged for their roles in stealing the new moms’ confidential records and selling them to financial firms.

Just a few weeks later, three other Toronto hospital workers were charged for illegally accessing former mayor Rob Ford’s medical file after he was admitted for treatment at the Princess Margaret Cancer Centre.

Together, the two incidents brought the security of health records across the country under scrutiny, as well the laws in place to protect them. In the year since, however, privacy breaches have continued to plague the health care industry.

Improving Legislation to Protect Privacy

Shortly after last spring’s high-profile breaches, Ontario Health Minister Dr. Eric Hoskins announced a new bill to help law enforcement crack down on illegal accesses. The bill was designed to add teeth to Ontario’s Personal Health Information Protection Act, which had not led to a single conviction in the decade since it became law. One reason it had been so unsuccessful is that is places a six-month limit on prosecuting privacy offenders. As a result, in order to successfully charge someone under PHIPA, any investigations by either the health care organization itself or by the provincial Information and Privacy Commissioner must be wrapped up within six months.

Even still, PHIPA leaves the authority to prosecute solely in the hands of the Attorney General, who will not prosecute until not only the Privacy Commissioner has advised him or her to do so, but until police have reinvestigated the breach and confirmed a law has been broken. All things considered, it proved incredibly difficult to squeeze that lengthy process into a short, six-month window.

Hoskins’ amendments would have removed the six-month limitation on prosecuting privacy breaches, as well as increased fines and made reporting such incidents mandatory. While it was introduced to the floor in September, the bill was tabled before it could become law.

An Epidemic’ of Privacy Breaches in Health Care

The very next month, another privacy breach – this one in Alberta – saw one health care professional fired and another 47 disciplined for illegally accessing a patient’s confidential records. According to Scott Sibbald, spokesperson for Alberta’s Privacy Commission, “this isn’t an isolated incident by any means.”

“We are seeing, and I guess for lack of a better term, an epidemic within electronic medical records systems,” Sibbald told the CBC.

Putting the Alberta case into context, Sibbald said privacy breaches had been on the rise for at least two years leading up to the incident. The reason for such a sharp uptick in breaches, he explained, is that more and more patient records are being moved into centralized, electronic databases.

Protecting Your Identity

While it does not appear that the aforementioned breaches were performed out of a desire to commit fraud or identity theft, health records contain personal information that could be valuable in the hands of an ID thief. From specific details about a person’s medical history, to identifying information, to financial data stored for billing purposes, medical files are virtually a one-stop shop for identity thieves looking for a complete personal profile.

While there is no way to make sure your hospital records aren’t seen by anyone but your doctors, there are steps you can take to help protect your identity should a breach occur. By signing up for an identity theft protection service, you can receive notifications should we detect certain activity that may indicate you could be a victim of ID theft. To learn more about how to improve your identity theft protection, contact Identity Guard Canada today.