A major Hamilton hospital network has reported 11 privacy breaches, including five involving “snooping,” to the Ontario watchdog this year alone.
The most recent case, revealed this week, resulted in Hamilton Health Sciences (HHS) firing eight employees for looking through personal health information of some 4,000 patients over 12 months. The Information and Privacy Commissioner of Ontario (IPC) said it’s investigating this case as well as “any systemic issues that may be at the root of it.”
HHS has reported another 10 privacy breach cases to the IPC in 2023, the IPC confirmed to CBC Hamilton. Four of those cases also involved employees snooping or looking at records out of curiosity. The IPC did not provide details about the other six cases.
Of the four other snooping cases, half are still being investigated and half are completed, said HHS spokesperson Wendy Stewart. So far, two employees have been terminated and 42 patients whose records were looked at were notified.
To prevent privacy breaches, HHS does monthly system audits, Stewart said.
As well, all staff, including doctors and students, are trained on “their responsibility to safeguard patient health information,” she said.
HHS reported an additional 23 privacy breaches in 2022. IPC said it dealt with all of them in the “early resolution stage,” which means they weren’t investigated either because they didn’t fall within IPC’s jurisdiction or the parties reached an informal settlement.
Patient left with unanswered questions
Patient Roch Longueépée, 53, received a letter from HHS on Tuesday that informed him of the most recent privacy breach detected in April. However, it’s left him with more questions than answers — who accessed his patient records and why?
“The letter they’ve sent me is unacceptable and I will be demanding more information,” said Longueépée, a Kitchener resident.
“My trust is compromised and I’m deeply troubled by what it may mean for all those other patients as well.”
Longueépée’s letter says a “handful” of employees working in inpatient units had “inappropriately” accessed private health records of patients who’d visited an emergency department.
“Our investigation concluded that these were cases of snooping,” the letter says. “There was no evidence that any of these employees printed, downloaded or electronically shared your information with others.”
He said he’s gone to emergency departments a dozen times in the last year, including in HHS hospitals, where he also receives treatment for a multitude of neurological and immune issues that make him “extremely susceptible to sudden death.”
He said his patient records would be thousands of pages long and he’s concerned they’ll get into the hands of a third party — such as a data or insurance company — or leaked online, despite assurances from HHS.
“Health information is extremely personal and very sensitive, and it could be used against people for any number of reasons,” said Longueépée.
Stewart said HHS will not be releasing more information about the case.
Legal recourse would be costly
HHS has previously said it didn’t notify police because they determined the acts weren’t criminal.
But there still could be a “tortious,” or wrongful element to the breach, said Prof. Teresa Scassa, an information law and policy expert at the University of Ottawa. For example, that may include if someone was snooping information about a particular disease or surgery, and then shared it to cause the patient embarrassment or get them fired from their job.
“The fact that it’s not necessarily criminal doesn’t mean there couldn’t be some legal recourse,” Scassa said.
Impacted patients who decided to pursue action through the courts could find out more details about anyone who accessed their information and why, during the discovery phase of the legal process, Scassa said.
“That starts to run up the bills for the people affected as well,” she said.
The IPC said it cannot comment on this most recent case as its investigation is in progress. In these types of situations, it looks at whether the organization has notified affected patients, the circumstances that led to the breach and whether actions have been taken to prevent similar breaches.
“Snooping is a serious issue that erodes patient trust and confidence in the health-care system,” IPC’s statement said.
Along with being fired, HHS employees could face regulatory sanctions from their professional organization, and if the cases goes to court and they’re found guilty, they could be fined up to $200,000, the IPC said.