Three hospital workers face privacy charges in Ford breach
Three hospital workers have been charged under Ontario’s health privacy law for snooping into former mayor Rob Ford’s medical records after he was diagnosed with cancer.
If they are convicted, it would be the first time in Ontario’s history that individuals have been successfully prosecuted under the Personal Health Information Protection Act (PHIPA), which came into force more than a decade ago.
Court documents obtained by the Star show Caroline Goodridge, of Laurel Ave., Mohammad Rahman, of Massey Square, and Debbie Davison, of Redbird Crescent, Pickering, all face charges under PHIPA.
The allegations include “wilfully collecting, using or disclosing personal health information” at the University Health Network (UHN) Princess Margaret Cancer Centre in January.
UHN and the Ministry of the Attorney General, which laid the charges, would not disclose any information about the allegations or the three accused hospital workers, claiming that the matter was now before the courts.
Online profiles indicate all three worked in the radiation department at Toronto’s Princess Margaret Cancer Centre. They are due to appear in court on Aug. 20.
Phone calls, voicemail messages and letters from the Star requesting comment from the three individuals were not returned Wednesday.
After Ford’s shocking cancer diagnosis last September, health professionals were caught snooping into his medical records in four separate privacy breaches in at least three Toronto hospitals, the Star reported in February.
His medical files were inappropriately accessed first at Humber River Regional Hospital, where his cancerous tumour was found. His health information was then opened without authorization at Mount Sinai Hospital in October, where he was transferred for chemotherapy.
The University Health Network (UHN) then notified the privacy commissioner that Ford’s records had been inappropriately targeted again by seven staff members at the Princess Margaret Cancer Centre on two occasions in January. Three individuals now face prosecution.
Information and Privacy Commissioner Brian Beamish said he could not comment on the prosecution because it was now before the courts.
However, earlier this year he told the Star the UHN breaches were “extremely troubling” because it meant the previous high-profile violations of Ford’s records had not acted as a deterrent to hospital employees.
In March, Beamish referred two of the snooping UHN employees for prosecution to the Ministry of the Attorney General — only the second time an Ontario privacy commissioner has requested a prosecution under PHIPA.
The first time was in 2011, after North Bay Health Centre nurse Melissa McLellan was accused of inappropriately accessing nearly 6,000 patient records. The charges against McLellan were dismissed earlier this year after a court ruled the Crown was unacceptably delaying the case.
The Star has been investigating major flaws in Ontario’s health privacy legislation since January, including the complicated and drawn-out prosecution process.
Additional stories outlined how Ontario, which used to lead Canada in health privacy laws, was now lagging behind other jurisdictions.
Unlike in other provinces, a prosecution under PHIPA must be launched within six months of a breach occurring, which means the hospital, the privacy commissioner and the police must complete their investigations and lay charges all within a six-month window.
Court documents allege Davison, Goodridge and Rahman snooped into Ford’s medical records on either Jan. 5 or Jan. 20. The charges were laid on June 25 — five months after the alleged breaches.
In June, following the series of Star investigations into PHIPA, Health Minister Dr. Eric Hoskins vowed sweeping changes to the act.
The changes — not yet introduced in the legislature — include eliminating the six-month deadline to prosecute and doubling the fines for of- fences under the act to $100,000 for individuals caught snooping and $500,000 for organizations.
“Even one privacy breach is too many, and that is why our government announced plans to amend PHIPA to further protect Ontarians,” Hoskins told the Star in a written statement Tuesday.
Privacy lawyer Michael Crystal, who has six class-action lawsuits active against Ontario hospitals, said he was pleased to see the authorities “taking a stand” against health privacy breaches.
“The proactive stance of the provincial government, largely triggered by the Toronto Star’s work, has been a welcome development and it is much appreciated by the victims of invasion of privacy that I represent,” Crystal said.
Former long-term privacy commissioner Dr. Ann Cavoukian applauded the government for launching the prosecution, but raised concerns about the ministry’s motives.
“I find it interesting that they are laying charges in the Rob Ford case. Are they doing this for perception because it was a high-profile case and they think it was important to move on it?” asked Cavoukian, who now works as the executive director of the Privacy and Big Data Institute at Ryerson University.
It’s “ironic,” she said, that the ministry would seek prosecution over violations of Ford’s medical records after he personally decided to share his cancer diagnosis with the public.
“Of all the cases you are going to choose in terms of the harm to patients involved, this one is on the low end because he chose to reveal his condition. It doesn’t reflect the harm patients would normally feel.”
It is unknown if Goodridge, Davison and Rahman still work at the Princess Margaret Cancer Centre, which is part of the UHN. UHN spokeswoman Gillian Howard previously told the Star she would not disclose whether the individuals caught snooping into Ford’s medical records had been disciplined or fired because the organization did not publicly comment “on matters of individual employment.”
Howard told the Star on Tuesday she could not comment on the case because it was now before the courts, but she said the “privacy of personal health information is something that society and UHN takes very seriously.”
The health network has recently strengthened its privacy protection, including enforcing a yearly mandatory privacy course and holding random audits of the access logs to patient records, she said. With files from Chris Reynolds and Ethan Lou