Recently, there has been increasing concern about the potential risk of liability relating to privacy breaches involving personal health information. Subsequent to new developments in the law relating to tort liability and the certification of a number of class action law suits relating to breaches involving personal health information, this is an area of the law that is evolving rapidly.
In Canada, there has traditionally been no independent action or tort for invasion of privacy. A claim for breach of confidentiality or breach of privacy would typically be brought in conjunction with a claim for constructive dismissal, breach of contract or negligence. Damages for breach of privacy/mental distress are tend to be nominal, although there could be other compensable damages or economic losses associated with the main cause of action.
In Ontario, the Personal Health Information Protection Act, 2004 (“PHIPA”) came into force in November of 2004 and provided a statutory basis for damages for privacy breach. Specifically, there is a statutory right to seek compensation through the Ontario Superior Court for breach of privacy for actual harm suffered where an order has been issued by the Information Privacy Commissioner/Ontario or there has been a conviction of an offence under PHIPA. PHIPA further provides that damages for mental anguish relating to breach of privacy, capped at $10,000.00, may be awarded where the action is wilful or reckless.
One question which is as yet unanswered concerns whether an order by the IPC would be a precondition to bringing a claim for damages for breach of privacy. Although many privacy breaches are reported to the IPC, there have only been eleven orders under PHIPA since the legislation came into force. We are not aware of any convictions for statutory offences.
There have been several significant developments over the past two years that have changed the legal landscape dramatically. The first relates to the emergence of privacy class action lawsuits. The second relates to a new independent privacy tort that is now recognized in Ontario.
Privacy Class Action Law Suits
In January of 2010, the IPC issued an order relating to the Durham Health Region and the use of encryption. In this case, a public health nurse lost an unencrypted USB key with personal health information relating to over 83,500 individuals. All of the individuals were notified as required under PHIPA and apologies were given.
A class action law suit was commenced in December of 2011. The Plaintiffs claimed $40 million dollars in damages. The claim was framed in terms of negligence, breach of statutory duty and breach of fiduciary duty and the primary concern related to potential identity theft.
In July of 2012 a class action settlement was approved, including $500,000 in costs awarded to legal counsel, plus a percentage of any claims paid. No claims were paid, having determined that there was no evidence of identity theft or any other economic loss. Mr. Justice Lauwers, who approved the settlement, was not prepared to award compensation in the absence of such a finding. This is consistent with legal authorities in the United States and Canada have found that damages for mental distress relating to the risk of fraud or identity theft are not compensable as they are minor and transient. Rather, there must be evidence of actual harm.
Since this time, there have been a number of class action law suits commenced against health industry clients relating to privacy breaches, particularly in relation to unauthorized access to electronic health records (i.e. the “rogue” employee) or loss of personal health information. For example, class action law suits have been brought against Regional Health Authorities in Nova Scotia and Newfoundland and Labrador with respect to unauthorized access to patient information by employees. In March of 2013, a privacy class action law suit was certified with respect to Montfort Hospital after an employee took home files on an unencrypted USB key with records relating to 25,000 patients, which was subsequently lost. Another class action law suit has been commenced against Peterborough Regional Health Centre and seven former employees after a privacy breach involving 280 patients.
We are still at a very early stage with respect to privacy class actions and there are a number of unknowns. For example, can a health industry client be found to be vicariously liable for the intentional behaviour of its employees or agents? Can liability be found where there were appropriate systems in place to address privacy, but an individual failed to follow them? From the direction that these issues are evolving, it is not enough to simply have appropriate policies and procedures in place – the organization must also monitor and enforce those policies.
Privacy Tort – Intrusion upon Seclusion
Another major development in Ontario has been the release of the decision of the Court of Appeal, Jones v. Tsige, in January of 2012. This case established an independent privacy tort based upon “intrusion upon seclusion.” The Court recognized that in certain cases where the conduct is intentional or reckless, there ought to be a right of action where there has been a deliberate and significant invasion of personal privacy. The Court defined the specific elements that must be met.
In terms of damages, the Court found that there was no need to demonstrate harm to economic interests or actual loss, however, damages for intrusion upon seclusion would be relatively modest and capped at $20,000. While the risk in relation to a single patient may not be significant (unless there is actual loss), the potential risk relating to a class action law suit is significant given the number of individuals who may be impacted.
Since the Jones decision, the British Columbia Supreme Court has confirmed that there is no common law tort of invasion of privacy in that province. A number of provinces, including British Columbia, Saskatchewan, Newfoundland and Quebec have statutorily torts of invasion of privacy that are applicable.
Costs of Privacy Breach Notification
Another potential area relating to potential privacy risk relates to the cost of privacy breach notification and containment programs, particularly since notification of patients is mandatory under PHIPA. Where the privacy breach involves a large number of individuals, the costs of identifying and notifying individuals who have been impacted and managing the breach requires a significant expenditure of time and resources.
Where there is potential risk of identity theft, health industry clients may need to look at strategies to mitigate the risk. In other private sector class action settlements, identity theft and credit monitoring services, compensation for time needed to replace identification, etc. have been built into settlement packages.
There are a number of insurance products that are available in the market that deal with cyber risk, data security and privacy breaches and allow for risk transfer. Some products include coverage relating to privacy breach notification and identity theft monitoring.
Health industry organizations should continue to take a risk managed approach to address privacy risk. This includes putting in place adequate policies and procedures relating to privacy and security of personal health information, including in regards to privacy breach management. Issues relating to training of staff, monitoring and auditing compliance with policies is coming under increasing focus.