Worker who pleaded guilty to medication theft accessed patient records to commit the act, court says
A recent decision of the Ontario Superior Court of Justice cautions healthcare employees not to go “privacy rogue” lest they lose their job and license from their regulatory college, Kate Dewhirst, a lawyer focusing on healthcare matters, has said.
In Demme v. Healthcare Insurance Reciprocal of Canada, 2021 ONSC 2095, the plaintiff, then employed as a registered nurse in a hospital, allegedly misused an automatic dispensing unit to obtain over 23,000 Percocet tablets for herself, without authorization, from 2006 to 2016. She allegedly wrongfully accessed personal medical records of over 11,000 patients for this reason. She pleaded guilty to the criminal charge of theft of the tablets.
The plaintiff and the hospital faced eight civil actions filed by patients alleging that the plaintiff committed the tort of intrusion upon seclusion. The plaintiff requested that the Healthcare Insurance Reciprocal of Canada (HIROC) defend her in the actions, pursuant to an insurance policy that covered the hospital and its employees.
HIROC denied the plaintiff’s request to defend, contending that the alleged injuries did not arise out of an occurrence as defined in the insurance policy and that the claims did not fall within the scope of the policy. HIROC also invoked two exclusions, the intentional act exclusion and the criminal act exclusion.
The plaintiff filed a motion for a declaration that HIROC owes a duty to defend her, as an insured pursuant to the policy, in the civil actions naming her as defendant and should pay her future defence costs. She likewise sought reimbursement of the costs she had already incurred.
The Superior Court of Justice of Ontario dismissed the plaintiff’s motion, ruling that the plaintiff could not avail of the insurance coverage and that HIROC had no duty to defend her. The true nature of the claims against the plaintiff was the intentional tort of intrusion upon seclusion, which was not covered under HIROC’s occurrence-based policy, the court said.
The court ruled that the mere possibility that the claims as pleaded fell within the policy’s wording would trigger HIROC’s duty to defend. Claims could fall within the policy’s coverage if an accident caused the injuries or damages which the insured did not expect or intend, the court said.
The court found that, in this case, the plaintiff’s intention to access the medical records amounted to an intention to cause injury. The patients were injured once the records were accessed because at that point they lost control over their private information. Because these injuries were not unexpected or unintended on the plaintiff’s part, the injuries were not considered caused by an occurrence.
The court also found that the claims were excluded by the intentional act and criminal act exclusions, which HIROC sufficiently established as applicable. The intentional act exclusion applied because the plaintiff intentionally accessed medical records. This access of records has a foreseeable and inevitable consequence of the plaintiff seeing the patients’ private information, at which point the patients lost their ability to control such information and suffered injuries.
As for the criminal act exclusion, the court found that accessing the records was part and parcel of the theft of tablets and arose out of the performance of this criminal act, to which the plaintiff had pleaded guilty.
In a blog post published on the website of Kate Dewhirst Health Law, Dewhirst called attention to the fact that, in this case, the hospital was not a party to the plaintiff’s motion.
“So this decision doesn’t say anything about whether the policy would cover the hospital’s vicarious liability for the nurse’s actions, or its potential liability for the privacy breach by virtue of its own supervisory and safety failings in respect of its personnel and drug protocols (failings that were mentioned in the certification decision),” Dewhirst wrote in the blog post.