DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

[CORRECTED] Ca: Privacy breach class action certified against Durham Region Health

Posted on December 21, 2011 by Dissent

NOTE of Jan. 3, 2012:  Please see the CORRECTION to this entry that appears in the Comments section.  My apologies for linking to what appears to have been inaccurate information – Dissent.

Alex Cameron and Sébastien Kwidzinski write:

The Durham Region Health Decision

In Rowlands v. Durham Region Health, the plaintiffs allege that a nurse employed by the Durham Region Health Department lost a USB thumb drive containing personal and confidential health information of over 83,500 patients.

[Remaining material deleted on Jan. 3, 2012 after receiving comment challenging the accuracy of the third party material]

Read more in the newsletter of Fasken Martineau. Note of Jan. 3, 2012: this newsletter no longer appears on their site.

Related Posts:

  • Ca: Durham Region Health class action lawsuit puts…
  • Pointer: Correction to an Earlier Post on Durham…
  • Cyberattack hits vaccine records for thousands of…
  • Ca: Health records of thousands lost in Durham
  • (follow-up) Ca: Durham told to encrypt health data…

Post navigation

← Norwegian sex scandal brewing? (updated)
Update: Stolen St. Charles laptop recovered →

4 thoughts on “[CORRECTED] Ca: Privacy breach class action certified against Durham Region Health”

  1. Anonymous says:
    January 3, 2012 at 5:10 pm

    I am counsel to the Region of Durham in the Rowlands class action referenced in the article above.

    I am writing in regard to your summary of the Certification Motion Reasons in the above-noted class action.

    In your summary of the certification motion in the case, you write: “The nurse involved had allegedly accessed private patient information relating to H1N1 flu vaccinations received between October 1 and December 16, 2009, including in respect of patients for whom she had not provided care.”

    The foregoing statement clearly suggests that a Durham Region Health nurse reviewed private patient information for purposes other than in the course of her job as a Durham Region Health nurse. There is no allegation in the Statement of Claim, in the Plaintiff’s certification motion materials or in the Certification Motion Judge’s Reasons to support such a statement. In particular, there is no allegation, let alone evidence, that any nurse reviewed private patient information of any patient not within his or her care. The allegation in the Statement of Claim is limited to the fact that in the course of transporting the USB key between Durham Regional Headquarters and a remote flu shot site as part of the nurse’s duties as such, the USB key was inadvertently lost. There is no evidence that anyone ever found the USB key or accessed any of the data on the key after it was lost.

    I would ask that you forthwith address the incorrect imputation which appears in your bulletin to avoid any further suffering to the involved nurse beyond what he or she has already endured as a result of the unfortunate and inadvertent loss of the USB key.
    Thank you in advance for your cooperation,
    David Boghosian

  2. Anonymous says:
    January 3, 2012 at 6:57 pm

    Hi David,

    First, that was not my summary. As the blog entry shows, it was an excerpt from an article published by Fasken Martineau that I had linked to.

    That said, I am happy to post your comments in their entirety so that anyone who may have read the original post can see your correction to it.

    I note that the original Fasken Martineau article does not appear to be available online any more. Did they issue any retraction or apology that I can also link to? If so, please let me know.

  3. Anonymous says:
    January 3, 2012 at 9:48 pm

    HIPAA requires that all EPHI be encrypted, does it not? If records were transported on a USB drive it should have been encrypted or had other form of protection?

    The statement “There is no evidence that anyone ever found the USB key or accessed any of the data on the key after it was lost” means nothing does it not? Wouldn’t the burden of proof be upon the hospital or applicable entity to prove nothing was accessed?

    Please correct me, but I saw nothing saying the USB drive was properly encrypted or protected. I would challenge the hospital to provide the proof, that nothing was accessed.

    Simple adherence to compliance mandates and common security-sense would have prevented this and many other breaches.

    1. Anonymous says:
      January 3, 2012 at 10:41 pm

      HIPAA doesn’t require encryption per se. Even if it did, this is not a U.S. case so HIPAA doesn’t apply. The Canadian counterpart, PHIPA, would apply, and Ontario’s privacy commissioner had previously issued an order about encryption on mobile devices (see this earlier post: http://www.phiprivacy.net/?p=1716).

      If your main point is that the absence of proof is not proof of absence, I’d tend to agree. But in most U.S. courts (which this would not be in), you have to demonstrate actual harm and not just possible or increased risk of harm to prevail. I’m not sure how this plays out in Canada.

Comments are closed.

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Update: Cardiovascular Consultants Ltd. ransomware attack reportedly affected 500,000 patients, guarantors, and staff
  • Data breach by Addenbrooke’s Hospital reveals patient information
  • Millions of patient scans and health records spilling online thanks to decades-old protocol bug
  • Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements (GAO Report)
  • Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers
  • CBIZ KA Notice of Data Privacy Incident (Prime Healthcare)
  • Seeking clarification on Maine’s data breach notification statute
  • East River Medical Imaging notifies 605,809 patients of breach

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net