R v Bandali: Patient Information and Securities Trading in Ontario

Personal Health Information Protection in Ontario

We live in a time where we are constantly bombarded with information. At the same time,  more and more institutions and businesses are keeping track of our personal data. Sometimes this information is shared inappropriately and some other times, where it should be shared, it is not. In Ontario, people often complain when their healthcare information is not being shared between providers and specialists, thus making the process of going to the doctor unnecessarily time consuming. It was not until recently that we have started to have a public debate about who can access our healthcare information within the medical system and how this information can be abused.

Issues around improper access to medical records came to the forefront in 2014 when then Toronto Mayor Rob Ford was diagnosed with cancer. It emerged that two hospital workers had improperly accessed his medical file and the Privacy Commissioner got involved. Love him or hate him, former Mayor Ford captivated our collective curiosities with his behaviour, but the breach in privacy during his most vulnerable time also spoke to our own fears of exposure of our private medical histories. Even if the hospital workers accessed his file out of sheer curiosity, or boredom during a long shift, their behaviour is not acceptable.

Since 2004, Ontario has had a Personal Health Information Protection Act, SO 2004, c 3 [PHIPA]. However, charges under PHIPA have never resulted in a conviction. In reality, only one has made it to the courts and even that case was stayed because the prosecution mishandled it. Under the PHIPA, hospitals are not mandated to report privacy breaches to the Privacy Commissioner, but they have done so with the most blatant cases. The Privacy Commissioner then conducts an investigation which it then has to refer to the Attorney General (“AG”) for them to initiate a prosecution. This means a separate police investigation and a call from the AG on whether it needs to pursue the charge. On top of everything else, PHIPA says that the charges must come within 6 months from the privacy breach occurring. This restriction leaves little time for proper investigation.

It is very interesting therefore that a successful hospital worker privacy breach was prosecuted this past year under Ontario’s Securities Act, RSO 1990, c S.5 [SA] and not under PHIPA. The particular circumstances of the case made it possible for the Ontario Securities Commission (“OSC”) to pursue charges in this particular case, but, this is not likely to be a precedent to medical information privacy breaches in the future. In R v Bandali, 2015 ONCJ 652 [Bandali], Ms. Bandali pleaded guilty to securities trading without being registered to do so in relation to her selling of patient information. She was sentenced to a fine of $36,000, a two year probationary period, and 300 hours of community service.

Facts

Ms. Bandali worked as a file clerk for Rouge Valley Hospital for 18 years. Starting in 2000, she improperly obtained names of mothers who had given birth at Rouge Valley, along with their addresses and phone numbers. This information was then passed on to Ms. Paula Edry of Knowledge First Financial. Ms. Edry used these names as potential investor contacts for her company’s education plans. Knowledge First Financial would then call the new mothers and try to sell them education plans for their newborns. Ms. Bandali received $1 – $2.75 per name for this deal and made approximately $12,000 between 2012 and 2014.

After the breach to privacy data was discovered when Ms. Bandali mistakenly left the patient data in one of the hospital photocopiers, Rouge Valley voluntarily contacted the Privacy Commissioner and the Ontario Securities Commission for investigations. Ms. Bandali was charged with unregistered securities trading under the SA; not a criminal charge but one which can come with a prison sentence of up to five years minus a day. Under the SA, no one shall engage in the business of trading in securities unless registered under Ontario’s securities law and Ms. Bandali was not registered (Bandali, para 6). Ms. Bandali was engaged in the business of trading in securities by supplying for profit the names of potential investors to Ms. Edry. The provision of the names was an act that was done in furtherance of a securities trade, even though only some of the contacted people purchased RESPs from Knowledge First Financial (para 8).

OSC investigations are known to find ways to fulfill the SA’s purpose even if the SA itself does not specifically prohibit a particular behaviour. Therefore it is easy to see why Ms. Bandali pled guilty. But the judgment points to some incongruence in connecting the harm suffered by the victims with what the SA is designed to protect. The SA is designed to protect investors from unfair, improper, or fraudulent practices and to encourage fair and efficient capital markets (para 12). Usually, the breach in trust related to the SA deals specifically with the trust investors place in those they choose and rely on to deal with their money (para 15). In this case the breach in trust was between the hospital and its workers in relation to the patients. Some of these patients had not even bought the services sold by Ms. Edry. The victim impact statements attest to  concerns of privacy in relation to medical information, but not to financial hardship due to investment in the education plan.

One of the women who was called by the company stated “I don’t feel safe anymore” and “how can a hospital not protect my data?” (para 16) Another woman was concerned as to what would happen with her “extremely thick” medical file. She further stated that “you believe the staff working in the hospital are people you can trust, you end up there not because you choose to most of the time, but because your life depends on it. What else in my file has been seen or sold?” (para 17). For the victims the concern is not so much the trading in securities but the extent of the private medical information that was released from the breach.

The OSC’s charges are legitimately valid and Ms. Bandali’s lawyers considered the judgment fair. But in the end, we are all left with the unease that Ms. Bandali’s punishment was not targeting the core of the victim’s concerns. The feeling of uneasiness as to what will be done with your personal medical information still remains and the proper aspects of the breach were not addressed. For all we know, Ms. Bandali was not really concerned with the medical history of the mothers but only with their contact information. But how can we re-assure those fears?

What Next?

In September of 2015, Ontario Minister of Health, Eric Hoskins introduced Bill 119 in the Ontario Legislature. Bill 119, among other things, deals with the amendment of PHIPA in four main areas. It will make it mandatory for healthcare providers to report certain privacy breaches to the Information Privacy Commissioner and regulatory colleges,  remove the 6 month limitation period for prosecutions,  require the consent of the AG to prosecute instead of requiring the AG to start the prosecution, and double the fines for those found in breach to $100,000 for individuals and $500,000 for organizations. The amendments have currently been referred to committee for hearings when the house resumes in February of 2016. The majority of these amendments would resolve some of the issues that have prevented PHIPA from being used as the effective tool it was meant to be when it was enacted back in 2004.