DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

[CORRECTED] Ca: Privacy breach class action certified against Durham Region Health

Posted on December 21, 2011 by Dissent

NOTE of Jan. 3, 2012:  Please see the CORRECTION to this entry that appears in the Comments section.  My apologies for linking to what appears to have been inaccurate information – Dissent.

Alex Cameron and Sébastien Kwidzinski write:

The Durham Region Health Decision

In Rowlands v. Durham Region Health, the plaintiffs allege that a nurse employed by the Durham Region Health Department lost a USB thumb drive containing personal and confidential health information of over 83,500 patients.

[Remaining material deleted on Jan. 3, 2012 after receiving comment challenging the accuracy of the third party material]

Read more in the newsletter of Fasken Martineau. Note of Jan. 3, 2012: this newsletter no longer appears on their site.

Category: Health Data

Post navigation

← Norwegian sex scandal brewing? (updated)
Update: Stolen St. Charles laptop recovered →

4 thoughts on “[CORRECTED] Ca: Privacy breach class action certified against Durham Region Health”

  1. Anonymous says:
    January 3, 2012 at 5:10 pm

    I am counsel to the Region of Durham in the Rowlands class action referenced in the article above.

    I am writing in regard to your summary of the Certification Motion Reasons in the above-noted class action.

    In your summary of the certification motion in the case, you write: “The nurse involved had allegedly accessed private patient information relating to H1N1 flu vaccinations received between October 1 and December 16, 2009, including in respect of patients for whom she had not provided care.”

    The foregoing statement clearly suggests that a Durham Region Health nurse reviewed private patient information for purposes other than in the course of her job as a Durham Region Health nurse. There is no allegation in the Statement of Claim, in the Plaintiff’s certification motion materials or in the Certification Motion Judge’s Reasons to support such a statement. In particular, there is no allegation, let alone evidence, that any nurse reviewed private patient information of any patient not within his or her care. The allegation in the Statement of Claim is limited to the fact that in the course of transporting the USB key between Durham Regional Headquarters and a remote flu shot site as part of the nurse’s duties as such, the USB key was inadvertently lost. There is no evidence that anyone ever found the USB key or accessed any of the data on the key after it was lost.

    I would ask that you forthwith address the incorrect imputation which appears in your bulletin to avoid any further suffering to the involved nurse beyond what he or she has already endured as a result of the unfortunate and inadvertent loss of the USB key.
    Thank you in advance for your cooperation,
    David Boghosian

  2. Anonymous says:
    January 3, 2012 at 6:57 pm

    Hi David,

    First, that was not my summary. As the blog entry shows, it was an excerpt from an article published by Fasken Martineau that I had linked to.

    That said, I am happy to post your comments in their entirety so that anyone who may have read the original post can see your correction to it.

    I note that the original Fasken Martineau article does not appear to be available online any more. Did they issue any retraction or apology that I can also link to? If so, please let me know.

  3. Anonymous says:
    January 3, 2012 at 9:48 pm

    HIPAA requires that all EPHI be encrypted, does it not? If records were transported on a USB drive it should have been encrypted or had other form of protection?

    The statement “There is no evidence that anyone ever found the USB key or accessed any of the data on the key after it was lost” means nothing does it not? Wouldn’t the burden of proof be upon the hospital or applicable entity to prove nothing was accessed?

    Please correct me, but I saw nothing saying the USB drive was properly encrypted or protected. I would challenge the hospital to provide the proof, that nothing was accessed.

    Simple adherence to compliance mandates and common security-sense would have prevented this and many other breaches.

    1. Anonymous says:
      January 3, 2012 at 10:41 pm

      HIPAA doesn’t require encryption per se. Even if it did, this is not a U.S. case so HIPAA doesn’t apply. The Canadian counterpart, PHIPA, would apply, and Ontario’s privacy commissioner had previously issued an order about encryption on mobile devices (see this earlier post: http://www.phiprivacy.net/?p=1716).

      If your main point is that the absence of proof is not proof of absence, I’d tend to agree. But in most U.S. courts (which this would not be in), you have to demonstrate actual harm and not just possible or increased risk of harm to prevail. I’m not sure how this plays out in Canada.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.