HomeOur Blog › Blog Input

Cyber and Privacy

Inadvertence Does Not Equal Recklessness

 Aug 9, 2019 5:00 PM
by Laura Emmett

It is fair to assume that the personal health information provided to medical professionals is kept confidential. Medical professionals and institutions set up policies and procedures to ensure that the information is collected, stored, and used in an appropriate manner and in compliance with privacy regulations. Recently, an individual took The Queensway Carleton Hospital to Court alleging that their procedure for surgery bookings caused her significant damages.

The facts of this case are straightforward. The Plaintiff was told that she required surgery. While waiting for a date for the surgery, she received a paper surgical booking package that she had to complete. The Plaintiff testified that she dropped off the completed booking package in the Hospital’s drop box. However, about a week later, it was returned to her by Canada Post. Despite the Plaintiff’s complaints, no one from the Hospital accepted responsibility for the misplaced booking records. The Information and Privacy Commissioner of Ontario was unable to make a determination regarding who was responsible for the privacy breach. The Plaintiff commenced a claim for damages for intrusion upon seclusion, breach of confidence, and public disclosure of embarrassing facts. She also sought punitive damages.

The Court found, on a balance of probabilities, that the Hospital received the records and they were misplaced. The Plaintiff relied on three causes of action to support her claim – intrusion upon seclusion; breach of confidence; and, public disclosure of embarrassing facts.

In dealing with intrusion upon seclusion, the Court found that a single act of inadvertence, assuming that was what happened, was not sufficient to prove recklessness. In fact, the Court found that the Hospital’s protocol for handling booking records did not create an obvious or serious risk. The Court found that the system worked quite well despite this one instance. There was not a deliberate and significant invasion of personal privacy as required in order to satisfy the threshold for damages.

Second, to establish the tort of breach of confidence, the Plaintiff had to show that the Hospital made unauthorized use of her booking record and misused it to her detriment. Once again, the Court found that this claim was not satisfied, as there was insufficient evidence that the Hospital misused the booking record.

Third, the Court found that the tort of public disclosure of embarrassing facts was not established. There was no evidence that the Hospital “published” the booking record or that the records were deliberately made publicly available. The evidence showed that the record could only be seen by postal workers in Montreal to determine where the record should be returned to. This was not sufficient to establish damages.

The Court considered the provisions of the Personal Health Information Protection Act. Section 71(1)(b) provides a statutory immunity for health information custodians where there has been an attempt at good faith compliance with the Act. The Court found that the evidence did not establish that the Hospital’s use of surgical booking packages was unreasonable. Additionally, there was no evidence that there had been any issues with other booking records, either before or after this incident.

Finally, the Court considered whether the Claimant was entitled to damages based on her “humiliation, anxiety and distress” arising from the receipt of the envelope for Canada Post which contained the booking records. The Plaintiff did not establish, on a balance of probabilities, that she suffered anxiety or psychological upset that rose to the level of requiring compensation. Similarly, there was no high-handed, arrogant or contumelious behaviour on the Hospital’s part that would warrant a finding of punitive damages.

Hospitals are particularly vulnerable to privacy claims – they are required to gather a significant amount of personal health information in a very short period, store and protect that information, and use it in an appropriate way. Healthcare organizations must implement robust safeguards and procedures to ensure their patients’ information is properly collected, used, and disclosed. Taking these reasonable steps will lower an organization’s financial and litigation risk. A good place to start is creating privacy policies or hiring an experienced counsel to review existing policies and their implementation.

See Wilson-Flewelling v Queensway Carleton Hospital, 2019 CanLII 65155 (ON SCSM)


Laura has a diverse practice where she focuses on accident benefits, bodily injury claims, product liability, cyber liability, privacy law and drone liability. Read more ...


  

 

 
Top of page