Have you ever been treated by a doctor or a surgeon and later learned your personal health information was improperly viewed or accessed by someone who worked in the office?
This happens more often than you might think.
And although this activity is an offence under the Personal Health Information Act and punishable by six months in jail or a fine ranging from $10,000 to $50,000, not a single person in Nova Scotia has ever been prosecuted.
The reason? The law is silent about who has authority to investigate the case and lay a charge. Meanwhile, patient privacy breaches continue with regularity.
One man (who the Examiner will call Donald to protect his privacy) received a letter dated May 10, 2023, from Nova Scotia Health. Dr. Jennifer Leighton had performed a hip replacement operation on Donald. The letter he received from Nova Scotia Health said an employee of Dr. Douglas LeGay — one of the surgeons at the same Dartmouth orthopaedic clinic where Leighton works — had improperly viewed the medical records of patients at the clinic.
The letter states:
NS Health has confirmed through audits and investigations that an employee of the Private Orthopedic Group misappropriated use and accessed the user ID and unique password of another orthopedic surgeon (Dr. Douglas LeGay) to execute inappropriate, unauthorized access without consent. NS Health policies clearly state the use of another individual’s unique access ID and password is considered a privacy breach.
The letter indicated the employee no longer works for the clinic nor has access to any of dozens of health information platforms used by Nova Scotia Health.
Donald said the letter from Nova Scotia Health has left him feeling “vulnerable” and concerned about fraud.
Donald has an unusual name and he’s concerned his name and address could be pieced together with additional information to build a profile that would allow a stranger to impersonate him when applying for a loan, a credit card, or even a government program.
Identity theft is a crime under section 402.2 (1) of the federal Criminal Code. But federal charges are relatively rare because the wording of the offence states the person who stole the information must subsequently use the information “intentionally” to commit another crime, such as fraud or theft.
Donald wanted to know precisely what information the rogue employee had accessed — Social Insurance Number? Marital status? Health insurance policy information? — and how many other patients were affected. He also wanted to know why there was no mention of charges or punishment to hold the clinic’s employee to account.
Donald filled out the forms that accompanied the letter, and asked Nova Scotia Health to provide him with the specific health information that was improperly accessed. He also notified the Office of the Information and Privacy Commissioner.
Privacy Commissioner raps ‘snooping’
The Privacy Commissioner is no stranger to this type of unauthorized snooping.
In February 2023, Information and Privacy Commissioner Tricia Ralph published a report containing recommendations after Nova Scotia Health learned at least eight of its employees had viewed or “snooped” medical files involving people associated with the Portapique mass murders in April 2020.
Here’s how Ralph described what people told her after learning their personal health information had been accessed without their consent:
Individuals who learn that someone in the healthcare system has abused their access to health records for the purpose of looking up medical information about them without a valid purpose often feel a strong emotional response. There is a deep sense of violation that comes from learning that you have been targeted in this way…
Credit protection services are a common harm mitigation strategy employed in situations where financial information has been breached. However, there is no equivalent mitigation strategy for personal health information. Affected individuals cannot subscribe to a protection service to mitigate rumours, whispers, stares, or other social harms, especially if it is not known for certain what information was shared with whom.
In her report into the privacy breach associated with the mass casualty, Ralph made the following recommendation to Nova Scotia Health, a recommendation the organization doesn’t appear to have adopted if the letter sent to Donald three months later is an indication:
I recommend that NSH ensure its future privacy breach notifications in cases of intentional unauthorized access by an employee are sufficiently personalised and specific to the matter. This includes ensuring that:
• notifications identify the name of the employee who engaged in the unauthorized access;
• notifications accurately describe the type of information accessed by the named employee;
• notifications give affected individuals specific information about what components of their personal health information were accessed and the number of times it was accessed by the named employee;
• notifications clearly identify if the affected individual was looked up and/or targeted by name;
• notifications provide context for the breaches and avoid the use of generic statements that may or may not apply to the affected individuals.
The letter sent to Donald by Nova Scotia Health in May 2023 did not include any detailed information about what personal health information was viewed, although it did provide context for the breach. It did not name the former employee of the clinic. The Dartmouth Orthopaedic Group is the downtown Dartmouth clinic where Dr. Douglas LeGay, Leighton, and several other orthopaedic surgeons work; it is listed at the Nova Scotia Registry of Joint Stock Companies as belonging to Dr. T. Duncan Smith Inc.
Late in June the clinic was sued by a former patient named Jordan Stacey who alleges the “malicious” action of the same clinic employee caused him “suffering and humiliation as well as “lost income from work.”
A response to the lawsuit has yet to be filed. However, a lawyer for the Dartmouth surgeons, Brian Downie at the firm Cox Downie, told the Halifax Examiner none of the doctors are responsible for the actions of the unnamed employee. That’s despite the fact the “snooping” or privacy breach took place over four years before it was detected.
2,500 patients told of privacy breach
Jennifer Lewandowski is a senior communications advisor for Nova Scotia Health. Here’s her email response after the Examiner asked how many patients may have been affected by the actions of the clinic’s employee:
In late May, Nova Scotia Health began to contact about 2,500 individuals about inappropriate access to their personal health information held by NSH. This breach stems from the improper use of an orthopedic surgeon’s NSH user ID by staff of a private orthopedic clinic between January 2019 and December 2022. Some of the access (approximately 150 patients) would be considered malicious and intentional. There may be patients notified who were in fact patients of the clinic but since NSH was unable to validate the business practices of the third-party we have elected to notify all individuals involved.
Lewandowski said that “some personal and/or health information specific to each patient” was viewed by the employee, but no social insurance numbers or banking information was stolen. (In that regard, this privacy failure is different from the much larger MOVEit security breach that affected more than 100,000 past and present provincial government employees).
“We regret this happened and apologize to those who were impacted by this breach,” said Lewandowski.
The Personal Health Information Act says persons who disclose health information without authorization can be fined $10,000 as individuals and up to $50,000 as a corporation, including each employee of that corporation.
The language is confusing. Under the act, a “person” is defined as “a custodian” of health information. That would include a doctor’s office or a private clinic or an organization such as Nova Scotia Health. In this context a “person” doesn’t refer to the rogue employee who caused the damage; the Act describes that individual as an “agent” for the custodian.
Nova Scotia Health said it will not be laying a charge against the private orthopaedic clinic. “NSH does not have capacity to lay charges and will not be pursuing this option,” said Lewandowski.
Surprisingly, no one in Nova Scotia has the capacity to lay a charge whenever there is a privacy breach under:
- the Personal Health Information Act
- the Freedom of Information and Protection of Privacy Act (FOIPOP)
- the Municipal Governance Act.
When it comes to enforcement, privacy laws in this province are toothless tigers.
It wasn’t always the case. Back in 1987 — under an earlier version of the Freedom of Information and Protection of Privacy (FOIPOP) act — Brenda Thompson and lawyer Anne Derrick took Social Services Minister Edmund Morris to court. Thompson was part of a lobby group called MUMS that was seeking affordable housing and she protested regularly outside the legislature while pushing a stroller. Morris released details from Thompson’s Social Services file to journalists during a scrum at the legislature that indicated she was receiving social assistance and had mis-identified the father of her child. (Thompson later corrected Morris’ statement on that second point).
A judge reluctantly convicted the cabinet minister of breaching the act’s privacy provisions and Morris paid a token $100 fine under the previous version of the FOIPOP act. But the current privacy laws — FOIPOP, Municipal Governance Act, and Personal Health Information Act — are all silent about who has the authority to lay a charge when a breach occurs.
There is “no pathway, so there have been no prosecutions under any of the provincial privacy acts” explains Sarah Gallant, a senior investigator with the Office of the Information and Privacy Commissioner who spoke with the Examiner.
Nova Scotia privacy laws fail to protect you
Information and Privacy Commissioner Tricia Ralph is well aware the laws governing privacy in Nova Scotia have serious shortcomings.
More than a year ago in her 2021-22 Annual Report, she asked Justice Minister Brad Johns to give her office the authority to investigate and lay charges, as is the common practice in other Canadian provinces.
Ralph noted that when it comes to violations committed under the Nova Scotia Environment and the Nova Scotia Occupational Health & Safety Acts, inspectors with those departments have the authority to lay charges.
Ralph made the following recommendation, asking the Houston government for an amendment to privacy laws:
Designate an enforcement body responsible for initiating the investigation of offences and referring matters to Nova Scotia’s Public Prosecution Service and include a provision authorizing the enforcement body’s disclosure of information relating to the commission of an offence. Consider making the Office of the Information Privacy Commissioner the enforcement body…
d) Remove the ‘malicious’ threshold in the offence provisions.
e) Allow the prosecution of offences to be initiated within two years of discovery of an offence.
More than a year later, the Houston government has not acted to implement this recommendation. It continues to ignore making the necessary changes to strengthen both the privacy and freedom of information provisions in these acts.
And Nova Scotia Health, which paid out approximately $1,000,000 in 2017 to settle a breach of privacy lawsuit involving more than 700 patients, tells the Examiner it is working with the OIPC to implement Ralph’s recommendations after her review of the snooping linked to the Mass Casualty.
In that February 2023 report Ralph noted:
This investigation demonstrates how easy it is for employees to intentionally violate individuals’ privacy when electronic health records are broadly available across many electronic information systems. It also demonstrates many of the challenges custodians face in holding employees accountable for this behaviour…
I make recommendations for additional follow-up steps and for stronger safeguards to limit employees’ access to look up and view only the electronic health records that they need to fulfill their jobs. If action is not taken, there will continue to be incidences of intentional privacy breaches by employees of NSH.
In 2020, Carla Munroe sued the Nova Scotia Health Authority for breach of privacy. A check of that court file suggests the allegation was either dropped or Nova Scotia Health settled the matter out of court.
And as previously mentioned, within the last three weeks, another patient has filed a civil action for a privacy breach that took place at a busy Dartmouth orthopaedic clinic.
The Examiner asked Nova Scotia Health what steps it has taken to implement the privacy commissioner’s recommendations to prevent future issues. We received this response from spokesperson Jennifer Lewandowski:
Overall, NS Health is committed to addressing the concerns raised in the report and is actively taking measures to strengthen privacy and data security protocols. We took proactive measures to help prevent breaches even prior to the issuance of the report by the OIPC. For instance, we have hired an individual responsible for auditing access to personal health information and we are building a new audit plan which we hope to implement in September.
Additionally, we have established a process to promptly revoke system access for individuals under investigation. This process was implemented in spring 2023… Furthermore, discussions have commenced with zone executive leadership teams to plan for expanded privacy training this fall.
Clearly, both Nova Scotia Health and the provincial government have work to do. Nova Scotia Health needs to figure out how to improve compliance with the existing rules and establish boundaries around how many information systems individuals can access to carry out their job. And the Houston government needs to speed up and modernize privacy laws so they can be enforced to protect privacy the way they should.