A $40 million class action was commenced against Ottawa’s Montfort Hospital, as reported by Chris Hofley in the Ottawa Sun, on May 10, 2013.
The case is based upon the health care information of 25,000 patients that was collected in October 2012 and lost on a non-password protected USB key in November 2012. The lost information included patient names, services received at the hospital and a health care provider code for each service. While the USB was recovered shortly thereafter and there is no evidence the information was accessed by a third party, the class is alleging breach of contract, negligence, breach of privacy and violations of the hospital bylaws and the Personal Health Information Protection Act.
The class alleges that the hospital was negligent in that it failed to password protect the information and then failed to disclose the loss of the information in timely manner. According to the Sun, “the suit seeks damages to compensate patients for the costs related to preventing identity theft, mental distress and “inconvenience, frustration and anxiety” caused by the incident.
We seem to hear more and more frequently about privacy breaches in Canada. Increased volumes of data certainly increase the risk of inadvertent disclosure. However, there are ways to protect against these risks, namely, good information governance. Good information governance policies and protocols increase data protection, decrease unauthorized access, and generally are successful at keeping organizations out of the media and courts for privacy breaches of the sort described above.