Victim of mental health privacy breach in Nova Scotia feels 'very exposed'
Man one of dozens whose confidential mental health information faxed to Bedford business
A man who is among dozens of patients over the last decade whose personal mental health information was mistakenly faxed to a Bedford business says he's upset, angry and feeling "very exposed" by the privacy breach.
"This is pretty serious stuff," he said. "This can ruin people's relationships, careers, a whole myriad of things."
The man, who wished to remain anonymous, told CBC News the information "absolutely" would have created disruption in his life if it had gone to the wrong person.
"If that information had of got out it would have been devastating," he said. "It is very frustrating and not acceptable. It's just not acceptable. That's the most personal of information."
Bedford businesswoman Lisa Belanger has been receiving faxes intended for the community mental health referral service in her area for years. Her business fax number is one number off the intended destination.
She said in each instance, she would contact the doctor's office that sent the fax to report that it had been sent to her in error, then destroy it.
Promised problem would be fixed
She approached CBC News with her story out of frustration, after contacting numerous bodies in an effort to get the faxes to stop. She said she was promised the problem would be fixed, but the privacy breaches continued.
The man who reached out to CBC News about his privacy breach said he was never notified of it at the time. He only learned of it this week when Belanger herself contacted him to say his information had been faxed to her last fall.
While many people may assume the person whose privacy has been breached is entitled to know, a spokesman with the office of the Nova Scotia privacy commissioner said that's not necessarily the case.
"The Personal Health Information Act does require that notification goes to somebody," said Robert Bay.
"So the question is: Is the notification to the individual whose privacy has been breached or is the notification to our office? The determining factors are the degree of harm or embarrassment that would result from the breach."
May not be notified
He says if the "custodians" who hold the personal information determine there is no potential harm or embarrassment, then the person whose information was mishandled may not be told.
That means the doctor whose office violated a patient's privacy is the one to determine how serious the breach is and whether the patient should be notified.
Notification to the privacy commissioner only became law on June 1, 2013.
Bay said since then the commission has been notified of a total of 27 breaches by custodians, but he was unable to say how many of them were doctors.
The commission said it has no way of knowing how many breaches resulted in notification to patients.