NOTE of Jan. 3, 2012: Please see the CORRECTION to this entry that appears in the Comments section. My apologies for linking to what appears to have been inaccurate information – Dissent.
Alex Cameron and Sébastien Kwidzinski write:
The Durham Region Health Decision
In Rowlands v. Durham Region Health, the plaintiffs allege that a nurse employed by the Durham Region Health Department lost a USB thumb drive containing personal and confidential health information of over 83,500 patients.
[Remaining material deleted on Jan. 3, 2012 after receiving comment challenging the accuracy of the third party material]
Read more in the newsletter of Fasken Martineau. Note of Jan. 3, 2012: this newsletter no longer appears on their site.
I am counsel to the Region of Durham in the Rowlands class action referenced in the article above.
I am writing in regard to your summary of the Certification Motion Reasons in the above-noted class action.
In your summary of the certification motion in the case, you write: “The nurse involved had allegedly accessed private patient information relating to H1N1 flu vaccinations received between October 1 and December 16, 2009, including in respect of patients for whom she had not provided care.”
The foregoing statement clearly suggests that a Durham Region Health nurse reviewed private patient information for purposes other than in the course of her job as a Durham Region Health nurse. There is no allegation in the Statement of Claim, in the Plaintiff’s certification motion materials or in the Certification Motion Judge’s Reasons to support such a statement. In particular, there is no allegation, let alone evidence, that any nurse reviewed private patient information of any patient not within his or her care. The allegation in the Statement of Claim is limited to the fact that in the course of transporting the USB key between Durham Regional Headquarters and a remote flu shot site as part of the nurse’s duties as such, the USB key was inadvertently lost. There is no evidence that anyone ever found the USB key or accessed any of the data on the key after it was lost.
I would ask that you forthwith address the incorrect imputation which appears in your bulletin to avoid any further suffering to the involved nurse beyond what he or she has already endured as a result of the unfortunate and inadvertent loss of the USB key.
Thank you in advance for your cooperation,
David Boghosian
Hi David,
First, that was not my summary. As the blog entry shows, it was an excerpt from an article published by Fasken Martineau that I had linked to.
That said, I am happy to post your comments in their entirety so that anyone who may have read the original post can see your correction to it.
I note that the original Fasken Martineau article does not appear to be available online any more. Did they issue any retraction or apology that I can also link to? If so, please let me know.
HIPAA requires that all EPHI be encrypted, does it not? If records were transported on a USB drive it should have been encrypted or had other form of protection?
The statement “There is no evidence that anyone ever found the USB key or accessed any of the data on the key after it was lost” means nothing does it not? Wouldn’t the burden of proof be upon the hospital or applicable entity to prove nothing was accessed?
Please correct me, but I saw nothing saying the USB drive was properly encrypted or protected. I would challenge the hospital to provide the proof, that nothing was accessed.
Simple adherence to compliance mandates and common security-sense would have prevented this and many other breaches.
HIPAA doesn’t require encryption per se. Even if it did, this is not a U.S. case so HIPAA doesn’t apply. The Canadian counterpart, PHIPA, would apply, and Ontario’s privacy commissioner had previously issued an order about encryption on mobile devices (see this earlier post: http://www.phiprivacy.net/?p=1716).
If your main point is that the absence of proof is not proof of absence, I’d tend to agree. But in most U.S. courts (which this would not be in), you have to demonstrate actual harm and not just possible or increased risk of harm to prevail. I’m not sure how this plays out in Canada.