Ontario’s public institutions saw more than 10,000 privacy breaches last year, according to the province’s privacy watchdog, who is warning of a significant rise of “snooping” in personal records. But that number may only represent a small part of the problem.
Information and Privacy Commissioner Patricia Kosseim’s annual report, published in June, said cases of snooping rose 34 per cent in 2023. But only the health and children and youth sectors are obligated to report breaches to her office, she noted.
Snooping involves workers accessing sensitive or personal information even though it isn’t required or permitted as part of their job. Kosseim told CBC Toronto she’s particularly concerned about a reported rise of such incidents.
“We know that voyeurism is a criminal offence, and you know, to my mind deliberately snooping in someone’s record is no less blameworthy than a ‘peeping Tom’ peering into someone’s bedroom,” she said.
Kosseim’s office found self-reported health privacy breaches of snooping nearly doubled to 197 in 2023, from 104 in 2019. She said such breaches can significantly undermine the public’s trust in public health.
Reducing health-sector privacy breaches
The confidential relationship between a person and their health-care provider is fundamental to the system, says Alisha Kapur, an associate lawyer at Rosen Sunshine LLP. The firm focuses on health and regulatory law, and often provides guidance to health-care organizations on privacy best practices.
“If [a patient] feels that the relationship is compromised, it makes people not want to share information, and that can affect their care,” Kapur said.
Provincial law mandates that patients be notified if their privacy has been breached. In the instance of a breach, a victim may take civil action if they choose. Kapur noted that it “depends on if the plaintiff, who is the victim, wants to bring that kind of action, because civil actions can be costly and stressful and very drawn out.”
Criminal penalties for snooping are also possible if the information was used for criminal purposes, such as fraud or impersonating a victim.
Kapur says one way to prevent breaches is by ensuring policies and procedures are kept updated and reviewed on a regular basis. And training all staff who collect or access personal health information is vital, she says.
“There is no use in having strong policies if the staff who have access to personal health information records don’t know what they are required to do to safeguard those records,” she said.
Of the 10,770 reported breaches of privacy in 2023 involving personal health information, 6,435 occurred in hospital settings.
In a statement, the president and CEO of the Ontario Hospital Association said its members have “robust policies” in place to ensure staff comply with provincial privacy law.
“All hospital staff with access to personal health information undergo annual training to ensure their ongoing awareness of their responsibilities,” said Athony Dale.
Hospitals are always working to strengthen policies and procedures, with routine monitoring and audits in an effort to protect sensitive patient information and prevent privacy breaches from occurring, Dale added.
Misdirected faxes, cyber breaches also increasing
Kosseim’s annual report also found that instances of misdirected faxes and cyberattacks similarly increased in Ontario.
There were 5,093 faxes sent to the wrong recipient in 2023, the report said, up 10 per cent from the previous year and accounting for just over half of all health privacy breaches.
Last year, Premier Doug Ford’s government promised to phase out faxes in health over a five-year period.
“We are really continuing to urge the government to keep this priority on the front burner, particularly in the health sector,” said Kosseim, adding that it’s troubling misdirected faxes continue to be an issue given the widespread availability of more modern technology.
Meanwhile, the number of cyberattacks reported to Kosseim’s office nearly doubled in 2023. Those reports are coming from a wide swath of the public sector, including municipalities, universities, school boards and hospitals.
“It’s a big issue and it’s one that has governments, organizations, regulators like my office, all trying to curb this horrible trend of rising cyberattacks, including ransomware, which wreaks havoc on everybody’s lives and really undermines the integrity of our digital systems,” Kosseim said.
In May, Ontario’s minister of public and business service delivery tabled Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act. Provisions within the bill go a long way toward addressing some of the primary problems raised in the annual report, Kosseim said.
If it becomes law, the act would mandate that all provincial ministries, departments and agencies report privacy breaches to Kosseim’s office. Currently, only public institutions in the health and children and youth sectors are required to do so by law.
Bill 194 was last debated at Queen’s Park on May 28, with further debate expected when the legislature resumes in the fall.