Health·CBC Investigates

Millions of Canadians don't have to be told if health information breached

The personal health information of hundreds of patients is breached every year, but most Canadians live in provinces where health-care providers don't have to tell victims or privacy watchdogs.

6 provinces have no legislation requiring notification of victims

Willa Magee of Shelburne, N.S., received a privacy breach notice from South West Nova District Health Authority in June 2012. She's now part of a class-action lawsuit against the health authority. (Steve Lawrence/CBC)

The personal health information of hundreds of patients is breached every year, but most Canadians live in provinces where health-care providers don't have to tell victims.

A CBC News investigation found six provinces, which have a combined population of about 20 million, have no legislation in place requiring hospitals, doctors and other health-care providers notify patients of a breach of their medical files.

Willa Magee of Shelburne, N.S., knows how it feels to have someone sneak through her private health information.

"I think it's very personal. Even if you don't have some terrible illness, it's just personal," she says. "You go to a health practitioner thinking that what you say to them is going to be held in confidence one way or another."

Magee is retired and moved east from Montreal in the 1990s. In the spring of 2012, she received a letter from the South West Nova District Health Authority informing her that she was among 707 patients whose privacy had been breached.

A breach can be anything from someone accidentally sending records to the wrong destination to someone stealing health information and selling it.

In Magee's case, it was "snooping," a clerk inappropriately accessed her medical records.

"I was pretty angry, to tell you the truth. First of all because I didn't know how badly they'd been breached or if … any of the records had been changed or what it all meant," Magee says.

But Magee actually has some cause for relief in an otherwise unfortunate situation. She lives in a province where hospitals are required to notify individuals of serious breaches. Otherwise, she might never have known.

You might never know

The legislative landscape across the country is uneven.

B.C., Alberta, Saskatchewan, Manitoba, Quebec and P.E.I. don't have legislation that requires health-care providers to notify patients of a breach.

In the jurisdictions that do have some form of notification requirement, the legislation often has a minimum harm threshold. In Yukon, for example, the bar for notification is "risk of significant harm as a result of the security breach."
Ottawa lawyer Michael Crystal is involved in five class action lawsuits regarding personal health information breaches. (Vic Modderman/CBC)

Ottawa-based lawyer Michael Crystal says notification is essential "if you are to have a confident patient-hospital or patient-medical health professional relationship."

Crystal is currently involved in five class action lawsuits involving thousands of patient records and says personal health information breaches are becoming more prevalent.

He says class action lawsuits are an important deterrent, but there's also room for privacy commissioners and prosecutors to take action.

"The prosecutions will play significant roles, because what really needs to change is the behaviour and the perception by hospitals as to the priority which personal health information ought to receive."

Reporting to privacy watchdogs

The information CBC News gathered from privacy watchdogs and health authorities from across the country suggests there were more than 1,300 breach reports in 2015, compared to 922 in 2014. The numbers include provinces where custodians of health information don't have to report breaches to their respective privacy watchdogs. 

These provinces include B.C., Alberta, Saskatchewan, Manitoba, Ontario, Quebec and P.E.I., although Ontario, Alberta and P.E.I. have passed legislation that, once implemented, will make it a requirement.

Catherine Tully, Nova Scotia's information and privacy commissioner, says if you look at jurisdictions where prosecutions have occurred under privacy law, "it's almost always the privacy commissioner who raises the issue with Crown or police based on serious breach notifications."

Nova Scotia's law requires notifying the actual victims of serious breaches, but health officials are only required to report minor breaches to Tully.

"So without this information, I'm not able to assist the Crown and police in prosecuting serious breaches," she says.

Court cases

Brian Beamish, Ontario's information and privacy commissioner, says his preference wouldn't be to refer breach cases to the attorney general for prosecution.

He's been in the role since 2014, and says prosecution is a tool that should be used selectively. He says losing one's job and the bad publicity that can come along with violating privacy is punishment enough in some cases.

Nonetheless, he's referred five cases for prosecution since 2015. Three of those resulted in convictions for snooping.

Those numbers exceed what other jurisdictions reported to CBC News, with the exception of Alberta where the privacy commissioner has referred six cases since 2011 resulting in four convictions.
Brian Beamish, Ontario's information and privacy commissioner, says his preference wouldn't be to refer privacy breach cases to the attorney general for prosecution. (Keith Whalen/CBC)

The clerk who snooped through Willa Magee's file was fired, and Magee is now part of a class action lawsuit against the health authority set to go to trial in June 2017.

She wants tough penalties for those who break the bond of trust between patient and health-care provider.

"It's only the people whose records have been breached, whose privacy's been breached, that are still in the dark and out in the cold."