The lawyer for plaintiffs pursuing a class action against Toronto’s Rouge Valley Centenary says recent privacy breach cases helped inform the $412-million lawsuit.
Michael Crystal, of Crystal & Associates in Ottawa, is representing parents who allege their personal information was sold by two hospital staffers to Registered Education Savings Plan after their children were born at the hospital.
The statement of claim is between Elia Broutzas and Meagan Ware, plaintiffs, and defendants Jane Doe “A” and Jane Doe “B,” John Doe Registered Education Savings Plans Corp., and Jane Doe “C.” Crystal says he has about 150 people signed to the class action so far.
“Initially there were four or five people who came to us,” he says.
The hospital revealed in June that contact details for about 8,300 patients at Rouge Valley Centenary — mostly parents who had babies between 2009 and 2013, had been given to private companies selling RESPs.
While Crystal says in the past businesses may have contacted new parents following the birth of their babies via various channels, what happened at Rouge Valley was different.
“There have always been various businesses that played on these types of events but in this case these employees were fired for improperly accessing information and selling [it] for a commercial purpose. That is the serious component and if there was an RESP business working with them that’s totally unacceptable,” he says.
On June 18, the Office of the Information & Privacy Commissioner issued the following statement:
“The IPC has begun its investigation into these incidents and is speaking to numerous parties to explore the possible ways in which personal health information may have been provided to RESP companies.”
The Toronto Police Service and Ontario Securities Commission are also investigating the investment company involved. Crystal says he is seeking to have the names of the individuals who allegedly sold the information and the investment company made public.
“I think the motion we will be bringing for the defendants [the hospital] to name other defendants will be successful and as the investigations by the OSC and police goes forward we’ll be able to name the other players,” he says.
Health law expert Alan Belaiche, of Belaiche Law in Toronto, says the Rouge Valley case “appears to be a prima facie breach of [Personal Health Information Protection Act].”
He says hospitals should generally be checking to make sure staff are properly trained and know what is inappropriate conduct.
“I wonder if the hospital will not be conducting its own internal investigation that should ordinarily result in terminations of staff who have breached PHIPA and presumably, hospital privacy policies.”
Crystal says the invasion of privacy/intrusion upon seclusion case, Jones v. Tsige, makes it clear even the inappropriate accessing of information for nothing more than curiosity and gossip is “just unacceptable and actionable.”
In previous cases of breach of privacy victims have been awarded between $10,000 and $20,000. Crystal says the damages being sought per class member in the Rouge Valley case (approximately $49,000 per patient) reflects counsel’s position that this is an “extreme breach of intrusion upon seclusion warranting the higher end of the spectrum.”
However, the Court of Appeal in Jones v. Tsige stated that aggravated and punitive damages in these types of cases should only be awarded in exceptional circumstances and that the $20,000 cap should generally remain the ceiling of damages.
Another case Crystal references is Evans v. The Bank of Nova Scotia, a certification of a class action decision that involved a bank employee who admitted to accessing and stealing personal information from 643 of the bank’s clients for fraudulent purposes.
Lad Kucis, partner with Gardiner Roberts LLP in Toronto says there is “a very good chance” the class action will be certified, as the facts are very similar to Evans v. The Bank of Nova Scotia.
“In my view, I believe the hospital has significant exposure in this case, including with respect to the newly recognized tort of intrusion upon seclusion, negligence and breach of contract, says Kucis. “ In my opinion, a strong argument could be made that the hospital is vicariously liable for the actions of its employees in such circumstances, especially if it can be demonstrated that the hospital did not take appropriate/sufficient steps to restrict the ability of the employees to access the personal health information.”
Kucis says if this case unfolds, focus will “undoubtedly be placed” on the health information practices of the hospital, especially as they relate to the protection of personal health information maintained in electronic form. In particular, he says inquiries will be made as to why the employees had access to the information and what systems were in place, if any, to restrict/limit access to information and to monitor when and by whom it was being accessed.
“We are transitioning into a very different age with regards to privacy,” says Crystal. “We are going through a radical transition into a new age where electronic information and data breaches are going to be the big issues. The bottom line is the nature of the technology should never force a second rate protection of people’s privacy. We have to treat this as we would any other malicious intentional theft of information.”