A review by the Information and Privacy Commissioner of Ontario (IPC) of two significant privacy breaches involving the sale of new mothers’ personal health information for financial gain has determined that Rouge Valley Health System (hospital) failed to put in place reasonable technical and administrative safeguards to protect patient information. In an Order issued today, Acting Commissioner Brian Beamish found the hospital was not in compliance with its obligations under the Personal Health Information Protection Act, 2004 (PHIPA) and ordered the hospital to implement changes to its electronic information systems, revise its privacy and audit policies, as well as deliver privacy training to all staff. The full press release: A review by the Information and Privacy Commissioner of Ontario (IPC) of two significant privacy breaches involving the sale of new mothers’ personal health information for financial gain has determined that Rouge Valley Health System (hospital) failed to put in place reasonable technical and administrative safeguards to protect patient information. In an Order issued today, Acting Commissioner Brian Beamish found the hospital was not in compliance with its obligations under the Personal Health Information Protection Act, 2004 (PHIPA) and ordered the hospital to implement changes to its electronic information systems, revise its privacy and audit policies, as well as deliver privacy training to all staff. Key Facts and Findings: Both reported breaches involved allegations of clerical employees using and/or disclosing information about new mothers for financial gain, through the selling or marketing of Registered Education Saving Plans. More than 14,000 patients were potentially affected. Auditing access to personal health information is an essential technical safeguard for deterring and detecting unauthorized access to personal health information. There were shortcomings in the audit functionality of one of the hospital’s electronic information systems that were not fully addressed before the second breach was discovered. The hospital’s privacy policies, training and awareness programs were insufficient. The IPC has ordered the Hospital to: Implement measures to ensure the hospital is able to audit all instances where staff access personal health information. Review and revise the hospital’s auditing policies to require random audits on all users’ activities on all of its electronic information systems. Develop and implement new policies for privacy training, privacy awareness, and privacy breach management. Immediately review and revise all privacy training tools and materials, and deliver training for all staff at the hospital. Given the increasing number of privacy breaches involving staff accessing personal health information of patients in an unauthorized manner, more needs to be done to address what appears to be a growing problem. To that end, the IPC has initiated discussions with the Ministry of Health and Long-Term Care and the Ministry of the Attorney General with a view to developing a procedure for commencing prosecutions in appropriate cases. Quote: “Over the last decade we have seen a growing number of privacy breaches involving unauthorized access to personal health information by staff within the health sector. Whether it is being done out of curiosity, or as in this case for financial gain, it is simply unacceptable. This Order should send a strong message to all health information custodians in Ontario, including hospitals, that they must implement reasonable measures and safeguards to eliminate or reduce the risks that may arise from unauthorized access. The strong message to staff is that there will be serious consequences arising from their actions.” ~ Brian Beamish, Acting Information and Privacy Commissioner of Ontario
OK, this is a bit different. There’s an update to a breach at Rouge Valley Hospital that was previously noted on this blog and that has already resulted in a lawsuit. The Canadian Press reports: A former clerk at the Rouge Valley hospital group in southern Ontario has been charged following an investigation into the alleged misuse of confidential information from maternity patients. The Ontario Securities Commission says that between Jan. 1, 2010 and March 31, 2014 Shaida Bandali of Pickering engaged in trading in securities without being registered to do so. It’s alleged she breached the confidentiality policies of her employer by accessing, copying or distributing personal data of maternity patients to one or more Registered Education Savings Plan representatives. Read more on CTV Toronto. The Ontario Securities Commission issued the following press release: The Ontario Securities Commission (OSC) announced today that Ms. Shaida Bandali of Pickering, Ontario has been charged with alleged breaches of the Securities Act (Ontario) following an investigation by the OSC’s Joint Serious Offences Team (JSOT) related to the misuse of confidential information at Rouge Valley Hospital. Bandali is a former clerk at the hospital and has been charged with unregistered trading, contrary to s. 25(1) of the Securities Act. It is alleged that between January 1, 2010 and March 31, 2014, Bandali engaged in the business of trading in securities without being registered to do so in relation to the following particulars: Repeatedly breaching the confidentiality policies of her employer, the Rouge Valley Hospital, by accessing, copying, or distributing confidential personal data of maternity patients to one or more Registered Education Savings Plan (RESP) dealer representatives; Creating investor lists from unauthorized access to confidential maternity patient information; Selling investor lists drawn from unauthorized access to confidential maternity patient information to one or more RESP dealer representatives in the business of soliciting clients; and Receiving monies for confidential maternity patient information from RESP dealer representatives without disclosing her conduct to her employer and to maternity patients. The first court appearance for Bandali in this matter is scheduled to take place December 12, 2014 at 11:00 a.m. in Courtroom #111 at the Old City Hall – Ontario Court of Justice, 60 Queen Street West, Toronto, Ontario. The JSOT investigation into this matter is ongoing and continues on a priority basis. JSOT was established by the OSC as an enforcement partnership between the OSC, the Royal Canadian Mounted Police Financial Crime program and the Ontario Provincial Police Anti-Rackets Branch. The primary objective of JSOT is to protect investors and further enhance confidence in the Canadian capital markets through effective enforcement. This is accomplished through collaborative investigations of serious violations of the law using the provisions of the Securities Act or the Criminal Code of Canada. The mandate of the OSC is to provide protection to investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets and confidence in the capital markets. Investors are urged to check the registration of any persons or company offering an investment opportunity and to review the OSC investor materials available at http://www.osc.gov.on.ca They don’t seem to say what penalties or consequences she could face if convicted, but their press release headline suggests the charges she faces are “quasi-criminal.” You can access the Securities Act here if you want to read up more on the regulations and the penalties available.
A breach at Rouge Valley Centenary that involved the contact information of 8,300 new mothers possibly being sold by two employees to multiple Registered Education Savings Plan (RESP) companies may also have affected new mothers at Rouge Valley Health System’s (RVHS) Ajax and Pickering site as well. It is not clear, however, whether the same two employees were responsible. CP24 has the update. In June, a $412 million potential class action lawsuit was filed against Rouge Valley Centenary. On August 8, RVHS posted a notice to patients on its website, linked from the home page: Notice to patients of the Rouge Valley Centenary Birthing Centre unit between November 2009 and early July 2014, and Rouge Valley Ajax and Pickering Maternal and Newborn Services unit between April 2014 and early July 2014 In compliance with section 12(2) of the Personal Health Information Protection Act, this notice is to notify the above noted patients of a privacy breach which was confirmed in early July 2014. For some time, the hospital’s birthing centres offered baby photography services through Just Arrived Baby Photography (the photographer). The photography service has been in place at our Rouge Valley Centenary (RVC) campus since November 2009 and at the Rouge Valley Ajax and Pickering (RVAP) campus since April 2014. We have recently learned that instead of simply receiving the name and room number of new mothers to determine whether new mothers would like to receive the photography services offered, the photographer was provided with a list daily which contained patient name, room number, age, gender, physician name, length of stay in hospital, type of diet (RVAP only), type of room accommodation in hospital (RVC only) and reason for admission to hospital (RVC only). The list was only used to approach new mothers in the hospital to offer photography services. It was not used for any other purpose and it was not provided to any third party. The list never left the hospital, and it was shredded by the photographer. The hospital takes privacy protection very seriously and sincerely regrets this breach of privacy. We are conducting a review of our practices to ensure that privacy is protected. The Information & Privacy Commissioner/Ontario has also been notified. If you would like to discuss this matter or you have any questions, please do not hesitate to contact our Patient Relations office at [email protected] or call 416-284-8131 ext. 4742. The notice is somewhat puzzling as it seems to say an external breach didn’t happen via the photography service, but it doesn’t explain what did happen or how the external breach occurred. Update: Toronto Star reports that the second location had 6,000 patients affected.
Joel Eastwood reports: A $412-million class action lawsuit has been brought against a Scarborough hospital on behalf of thousands of patients whose personal information was leaked by two former employees. The hospital revealed earlier this month that the contact information of as many as 8,300 patients at Rouge Valley Centenary, mainly mothers who gave birth between 2009 and 2013, had allegedly been handed over to private companies which marketed RESP investments to the new parents. The hospital subsequently contacted the Toronto Police Service. The Ontario Securities Commission is also conducting an investigation. Read more on The Toronto Star.
Joel Eastwood reports: A major privacy breach at a Scarborough hospital is being investigated by Ontario’s privacy commissioner after the contact information of thousands of new mothers was leaked to companies that were allegedly paying off hospital employees. As many as 8,300 patients had their name, address and phone number turned over to private companies selling Registered Education Savings Plans by two staff members at Rouge Valley Centenary hospital. The patients affected were mainly mothers who gave birth at the hospital between 2009 and 2013. The personal information of the new parents was used by the companies to try to sell them RESP investments. Read more on the Toronto Star.
The OSC today announced that Nellie Acar, Esther Cruz, Polina (Poly) Edry and Subramanian Sulur entered guilty pleas to charges laid following an investigation by the OSC’s Joint Serious Offences Team (JSOT) related to the misuse of confidential patient information from the Rouge Valley Health System and the Scarborough Hospital. Acar pleaded guilty to one count of secret commissions contrary to s. 426(1)(a) of the Criminal Code and one count of using a forged document contrary to s. 368(1)(b) of the Criminal Code at Scarborough – Ontario Court of Justice before Justice K. Doorly (Justice Doorly). Cruz pleaded guilty to two counts of secret commissions contrary to s. 426(1)(a) of the Criminal Code at Scarborough – Ontario Court of Justice before Justice Doorly. Acar was formerly employed as a Global RESP Corporation sales representative. Esther Cruz was formerly employed as a registered nurse in the maternity departments of the Rouge Valley Health System and the Scarborough Hospital. Acar acknowledged in court that between April 1, 2014 and June 30, 2014, she knowingly used a forged document as if it were genuine. In addition, she acknowledged that between January 1, 2012and April 30, 2014, she corruptly gave Cruz a monetary reward not exceeding $5000 as consideration for providing patient information to Acar. Cruz acknowledged in court that between January 1, 2012 and August 30, 2014, she corruptly accepted monetary rewards not exceeding $5000 for providing patient information to Acar in relation to her employment at the Rouge Valley Health System and the Scarborough Hospital. Both individuals were sentenced to six-month conditional sentences, the first three months of which are house arrest. In addition, both accused were given two years’ probation with conditions and are required to perform 340 hours of community service. Edry and Sulur each pleaded guilty to one count of participating in an improper referral arrangement with another person or company contrary to National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations and contrary to s. 122(1) of the Securities Act (Ontario) at Old City Hall – Ontario Court of Justice before Justice M. McLeod. Edry was formerly a Branch Manager for Knowledge First Financial Inc. and Sulur was formerly an Assistant Branch Manager for C.S.T. Consultants Inc. Both were registered dealers. Edry acknowledged in court that between January 1, 2012 and May 1, 2014, she purchased names from Shaida Bandali (a former employee of the Rouge Valley Health System), who she knew worked in a medical facility. The names were those of new parents of children that came from that medical facility. Edry also admitted that she was wilfully blind to the fact that not all of the patients had agreed to have their personal information shared. Edry admitted to paying Bandali $10,513.25 or approximately $2.50-2.75 per name. She purchased the names from Bandali to use as sources of potential Registered Education Savings Plans (RESP) investment sales leads. Edry is scheduled to appear for sentencing on August 23, 2016 at 10:00 a.m. at Old City Hall, 60 Queen Street West in Toronto, Ontario. Sentencing submissions for Sulur are scheduled for June 22, 2016 at 10:00 a.m. at Old City Hall, 60 Queen Street West in Toronto, Ontario. JSOT was established by the OSC as an enforcement partnership between the OSC, the Royal Canadian Mounted Police Financial Crime program and the Ontario Provincial Police Anti-Rackets Branch. The primary objective of JSOT is to protect investors and further enhance confidence in the Canadian capital markets through effective enforcement. This is accomplished through collaborative investigations of serious violations of the law using the provisions of the Securities Act or the Criminal Code. The mandate of the OSC is to provide protection to investors from unfair, improper or fraudulent practices and to foster fair and efficient capital markets and confidence in the capital markets. Investors are urged to check the registration of any persons or company offering an investment opportunity and to review the OSC investor materials available at http://www.osc.gov.on.ca SOURCE: Ontario Securities Commission
Jacques Gallant has a follow-up to a case that I’ve been covering on this site since it was first disclosed: A former Rouge Valley hospital records clerk was fined $36,000 and given two years of probation on Monday for selling thousands of maternity patient records to RESP firms. Shaida Bandali, 62, pleaded guilty earlier this year to selling securities without a licence. Read more on Toronto Star. It’s surprising to me to see someone charged with selling securities without a license for this type of thing, and I wonder if that’s a charge that might also be used in the U.S. Any U.S. lawyers have an opinion on that?
Marco Chown Oved reports: She admitted to stealing more than 12,000 patient records from the maternity ward at the Rouge Valley Hospital and selling them for $1 a pop to financial firms, and for this Shaida Bandali should go to jail, an Ontario Securities Commission prosecutor said Tuesday. “Ms. Bandali essentially trafficked in the identities of these patients for one reason and one reason only: for her own selfish, financial gain,” OSC prosecutor Cameron Watson told the court. “She didn’t make hundreds of thousands of dollars, but she made just shy of $15,000 and she did that on the back on patients and hospitals.” Read more on Toronto Star.
An update from Marco Chown Oved on the Rouge Valley Hospital insider breach reported last year: A former Rouge Valley Hospital clerk has pleaded guilty to stealing thousands of patient records and selling them to financial brokers over the course of more than a decade. Shaida Bandali, 61, who worked at Rouge Valley from 1995-2014, accessed confidential maternity ward records, including the names and contact information of mothers as well as the names and birthdates of their babies, and sold them for between $1 and $2.75 each to salespeople of Registered Education Savings Plans (RESPs), according to an agreed statement of facts read out in court Monday. Read more on Toronto Star.
A press statement issued by Global RESP: Global RESP Corporation “Global” and the Global family of companies have always respected and protected the public’s private information and will continue to do so. Earlier today, the OSC issued a statement regarding a former, independent Dealing Representative, Nellie Acar, who allegedly purchased patient information from an employee of the Rouge Valley Health System. Global took immediate action once notified of Ms. Acar’s alleged activities and terminated her, as it is a severe violation of our policies and procedures. Global has fully cooperated with the Ontario Securities Commission’s Joint Serious Offences Team during this investigation and will continue to do so until the matter is closed. About the Global family of companies and associated companies The Global family of companies and associated companies is a dynamic financial services company that has been helping to shape the financial future of Canadians since 1998. Today, Global has grown to become one of the largest independent full-service financial firms in Canada with over $3 billion in assets under administration and management, providing mutual funds, stocks, bonds, insurance, long-term investments, education savings plans and other investments. The Global family of companies and associated companies includes Global RESP Corporation (GRESP), Global Maxfin Investments Inc. (GMII), Global Maxfin Capital Inc. (GMCI), Global Insurance Solutions Inc. (GISI) and Global Growth Assets Inc. (GGAI). With offices in British Columbia, Alberta, Ontario and Quebec, more than 100 employees and hundreds of independent representatives and advisors across the country, our goal is to be the company of choice to meet the financial needs of Canadian individuals and families. SOURCE Global RESP Corporation