Snoops fined for buying hospital info
Violating privacy of new moms to sell RESP plans prompts penalties of $48,000, community service
An Ontario Court judge has slapped fines on two former investment dealers who bought stolen medical information to use as sales leads.
In a decision delivered at Old City Hall on Tuesday, Ontario Court Justice Malcolm McLeod ruled Polina “Poly” Edry and Subramaniam Sulur took part in “a massive criminal scheme that violated the privacy of thousands” of patients in the Rouge Valley Health System. The goal was to sell Registered Education Savings Plans (RESPs) to new mothers in Rouge Valley maternity wards, McLeod said.
Edry, a former branch manager at Knowledge First Financial Inc., was fined $45,000, placed on probation for two years and ordered to serve 300 hours of community service for her role in the snooping plot. She will also be banned from practising in the financial services industry for at least two years.
Her co-accused, who was an assistant manager with CST Consultants Inc., was given the same sentence with a lower fine — $3,000 — and 150 hours community service due to his age and financial standing, the judge found.
Former financial services manager Poly Edry pleaded guilty to violating the Ontario Securities Act
Edry and Sulur both pleaded guilty in June to one count each of participating in an improper referral arrangement, an offence under the Ontario Securities Act.
Other charges against Sulur and Edry were withdrawn on Tuesday, while a charge of unregistered trading against Edry’s husband was dropped earlier this year.
Sulur’s lawyer, Gary Johnston, declined to comment Tuesday but said the reduced fine for his client was welcome.
Ken Dekker, the lawyer who represented Edry, said: “We don’t necessarily agree with all the judge’s findings, but she’s glad to have it done.”
Five people have now been convicted of involvement in the snoopingfor-profit scheme, which affected at least 14,000 maternity patients at Rouge Valley Health System hospitals.
The huge privacy breach was an- nounced by the health provider in 2014, after an internal investigation prompted two employees to admit they had snooped into patients’ medical records.
The province’s privacy commissioner launched its own investigation and criticized Rouge Valley for failing to uphold adequate safeguards on its electronic database.
The Ontario Security Commission’s Joint Serious Offences Team also started an inquiry, which led to charges against hospital and financial services workers.
In June, two others involved — Esther Cruz and Nellie Acar — were sentenced to three months’ house arrest, two years’ probation and 340 hours of community service.
Cruz was a maternity ward nurse at the Rouge Valley and Scarborough hospitals.
She admitted to selling private information of new mothers over a two-year period — January 2012 to August 2014 — to Acar, who was a broker with the Global RESP Corpo- ration at the time.
Cruz had pleaded guilty to two counts of secret commissions and is also facing a disciplinary hearing at the College of Nurses of Ontario for professional misconduct and failing to disclose the charges.
Acar, meanwhile, pleaded guilty to one count of using a forged document and one count of secret commissions.
Edry and Sulur admitted to involvement in the scheme through a different hospital worker: former Rouge Valley clerk Shaida Bandali. According to the security commission, Bandali created investor lists with patient information and sold them to Edry and Sulur so they could use them to find RESP clients.
Bandali pleaded guilty last year and was hit with a $36,000 fine, two years of probation and 300 hours of community service by Ontario Court Justice Kathleen Caldwell in November.
The court heard in that case that Bandali earned about $12,000 selling the records over the course of four years.
Michael Crystal, a lawyer in Ottawa who is spearheading a $412-million class-action lawsuit over the privacy breach, said the prosecution of hospital privacy breaches is uncharted legal territory.
“I am delighted to see the criminal process engaged in this type of conduct, and clearly the courts have taken this conduct to be criminal and awarded appropriate sentences,” he said.
Privacy breaches at Ontario hospitals have become a growing concern for health practitioners and the government, as more and more records in the province are digitized and made accessible in easy-to-use electronic databases. Two health care workers who snooped into late Toronto mayor Rob Ford’s electronic hospital records were the first to be convicted under PHIPA, the provincial health privacy legislation. The pair pleaded guilty and each was fined $2,505.
In May, Queen’s Park passed a bill to increase fines for violating patient privacy, eliminate the six-month time limit to start prosecution and make it mandatory to report privacy breaches to the Information and Privacy Commissioner and relevant regulatory colleges.