The Ontario Information and Privacy Commissioner issued an Order
Tuesday requiring the Rouge Valley Health System to implement wholesale changes to its electronic information systems while the RESP dealers remain nameless.
Brian Beamish, acting commissioner of IPC issued a statement Tuesday about the review his agency conducted regarding the two privacy breaches that occurred at the hospital which led to charges being laid against former employee Shaida Bandali. WP reported
yesterday that Bandali appeared in court last Friday but the case was put off until January 19, 2015.
Beamish and the IPC are clear in their key findings about the seriousness of these breaches, which affected as many as 14,000 patients at the hospital. It found that the hospital’s audit procedures including the functionality of one its electronic information systems were not fully addressed before the second breach was discovered.
That’s terribly damaging news for the hospital because the facts of this case seem to indicate that the alleged defendant’s breach (the second and more serious) could have been partially prevented by expediently addressing the issues and shortcomings of its information systems.
The IPC has ordered the hospital to implement several changes to its auditing and privacy policies and procedures to ensure this doesn’t happen again. Further, it has initiated discussions with the Ontario Ministry of Health in order to develop a streamlined process for commencing prosecutions.
Beamish stated, "Over the last decade we have seen a growing number of privacy breaches involving unauthorized access to personal health information by staff within the health sector… This Order should send a strong message to all health information custodians in Ontario, including hospitals, that they must implement reasonable measures and safeguards to eliminate or reduce the risks that may arise from unauthorized access. The strong message to staff is that there will be serious consequences arising from their actions."
Ottawa lawyers Michael Crystal and Norman Mizobuchi are leading a class action lawsuit on behalf of former patients affected by this serious breach of privacy. Crystal told WP, “As counsel for the plaintiffs in the Rouge Valley action, myself and Mr. Mizobuchi recognize that it is rare for the Information and Privacy Commissioner to issue orders and are very encouraged by these findings. This is a significant development in the case. We remain committed to pursuing a remedy for these families in a court of law."
WP continues to follow this case as it winds its way through the judicial process. For the sake of parents considering RESPs, one can only hope the names of the dealers involved are soon released.