It is clear that regulators and courts are not taking snooping lightly – particularly in cases involving sensitive health information – and courts are willing to impose high fines to reinforce that this behaviour is unacceptable.
A Masters of Social Work student learned the hard way that improper access of personal health information comes at a high cost, and in this case out of Goderich, Ontario, that cost was $20,000.
During an educational placement with a family health team between September 9, 2014 and March 5, 2015, this student accessed, without authorization, the personal health information of 139 individuals, including family, friends, local politicians and staff of the clinic. The student pled guilty to willfully accessing the personal health information of five individuals and was ordered to pay a total of $25,000 which includes a $20,000 fine and a $5,000 victim surcharge.
The Information and Privacy Commissioner of Ontario (the “IPC”) noted that this was the fourth person convicted under the Personal Health Information Protection Act. This fine is the highest to date for a health privacy breach in Canada, signalling that snooping, particularly in the health care sector, has serious consequences. The IPC press release emphasized the importance of patient privacy and the obligations on health care providers to ensure proper safeguards are in place to protect the confidentiality of this sensitive information.
In a snooping case out of Alberta, a former supervisor of health information management was convicted of accessing individuals’ health information in contravention of the Health Information Act and was fined $5,000. After receiving a self-reported breach from Alberta Health Services, the Alberta Office of the Information and Privacy Commissioner (“OPIC”) investigated and determined that Amanda Tripp improperly accessed the health information of numerous individuals. The OPIC referred its findings to Crown prosecutors at Alberta Justice and on March 21, 2017, the judge issued a $5,000 fine for 13 unauthorized accesses of health information.
These cases are a reminder that breach cases are not only limited to hacking and cybersecurity incidents. Unauthorized organizational uses of information – particularly in the health, financial and retail sectors where employees may have access to a great deal of sensitive personal information – are also a serious concern. Employers must take steps to mitigate and prevent snooping behaviour. Organizations have legal obligations to safeguard personal information within their possession. This means that organizations must use a variety of means, including restricting access to those employees who need access as part of their job functions. Employers should ensure employees understand what type of behaviour constitutes a breach of privacy – namely, that any unauthorized access to personal information is considered a breach, even if the employee was snooping to satisfy their own curiosity with no malicious intent. Employers should also be mindful that an affected individual is not limited to filing a complaint with the applicable regulator. Individuals may also sue in court, and may avail themselves of class action proceedings.