Intrusion Upon Medical Records

When the new tort of the intrusion upon seclusion first emerged in 2012 in Jones v. Tsige, many of us wondered how exactly it would be invoked in litigation. Many of us assumed reasonably that this would be an additional head of damages claimed, given the modest amount recognized by the court as reasonable for privacy breaches.

Since that time we have seen this tort employed in several cases with varying success. One of the more intriguing applications is where these small heads of damages can be advanced in the aggregate, namely in through class proceedings.

The ideal scenario for this type of situation to emerge would be a large institution, like a government or facility with significant records, to disclose en masse the personal information of members of the public. The type of information would also have to be the type of information the court considered reasonable to create the type of distress or anguish necessary, in the areas of finances, health, sexual practices, employment, or personal correspondents.

In less than two years we have seen these class actions emerge, and more recently, observed their presence in the area of medical records as well. The sheer volume of health information collected, used, and disclosed by health practitioners makes the health sector particularly vulnerable to this type of liability. Health records are particularly vulnerable to privacy breaches, and can be particularly sensitive, because they may also contain other private information such as sexual practices or personal thoughts through counselling notes.

The first medical records class action is Hopkins v. Kay, which was successful on a summary judgment motion earlier this year, where Justice Edwards stated,

[1] With the click of a mouse, personal health records can be accessed by those who have a legitimate interest in properly treating a patient – or they can be accessed for an improper purpose.

The second case involves a privacy breach at Rouge Valley Centenary for $412 million.

These cases have the potential to be successful on the basis of intrusion upon seclusion without reliance on other heads of damages at all, which completely transforms the risk assessment for employers and administrators. The health sector has identified this area as a significant operational issue which will require additional training, investment and review to minimize or eliminate vicarious liability as much as possible.

I explored these issues with some individuals earlier this week, and I am making the brief paper I used available here: New Tort of Intrusion Upon Seclusion and Electronic Health Records.

Comments

  1. That is a very useful resource, Omar. Thanks.

    One wonders if the Court of Appeal had any notion, in creating its apparently limited and modest remedy for the most outrageous cases, that it was creating a threat to the budgets of public institutions calculated (at least for publicity purposes) in the hundreds of millions of dollars.

    The US has had at least a common-law action for intrusion upon seclusion for a long time, yet none of the class actions brought as a consequence of a data breach has resulted in a judgment, and the overwhelming majority have been dismissed early on because no damages have been demonstrated. Why the difference? Is it that the intrusion on seclusion cases have an actual intruder, not just someone who has not taken care of the records? If so, would not the hospital cases be in the same position as the custodian of records in the data breach cases, i.e. not the cause of detectable and provable harm?

    Have any Canadian data breach cases got beyond an initial motion to dismiss for lack of damage?