DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

[CORRECTED] Ca: Privacy breach class action certified against Durham Region Health

Posted on December 21, 2011 by Dissent

NOTE of Jan. 3, 2012:  Please see the CORRECTION to this entry that appears in the Comments section.  My apologies for linking to what appears to have been inaccurate information – Dissent.

Alex Cameron and Sébastien Kwidzinski write:

The Durham Region Health Decision

In Rowlands v. Durham Region Health, the plaintiffs allege that a nurse employed by the Durham Region Health Department lost a USB thumb drive containing personal and confidential health information of over 83,500 patients.

[Remaining material deleted on Jan. 3, 2012 after receiving comment challenging the accuracy of the third party material]

Read more in the newsletter of Fasken Martineau. Note of Jan. 3, 2012: this newsletter no longer appears on their site.

Related posts:

  • Ransomware Resources for HIPAA Regulated Entities
Category: Health Data

Post navigation

← Norwegian sex scandal brewing? (updated)
Update: Stolen St. Charles laptop recovered →

4 thoughts on “[CORRECTED] Ca: Privacy breach class action certified against Durham Region Health”

  1. Anonymous says:
    January 3, 2012 at 5:10 pm

    I am counsel to the Region of Durham in the Rowlands class action referenced in the article above.

    I am writing in regard to your summary of the Certification Motion Reasons in the above-noted class action.

    In your summary of the certification motion in the case, you write: “The nurse involved had allegedly accessed private patient information relating to H1N1 flu vaccinations received between October 1 and December 16, 2009, including in respect of patients for whom she had not provided care.”

    The foregoing statement clearly suggests that a Durham Region Health nurse reviewed private patient information for purposes other than in the course of her job as a Durham Region Health nurse. There is no allegation in the Statement of Claim, in the Plaintiff’s certification motion materials or in the Certification Motion Judge’s Reasons to support such a statement. In particular, there is no allegation, let alone evidence, that any nurse reviewed private patient information of any patient not within his or her care. The allegation in the Statement of Claim is limited to the fact that in the course of transporting the USB key between Durham Regional Headquarters and a remote flu shot site as part of the nurse’s duties as such, the USB key was inadvertently lost. There is no evidence that anyone ever found the USB key or accessed any of the data on the key after it was lost.

    I would ask that you forthwith address the incorrect imputation which appears in your bulletin to avoid any further suffering to the involved nurse beyond what he or she has already endured as a result of the unfortunate and inadvertent loss of the USB key.
    Thank you in advance for your cooperation,
    David Boghosian

  2. Anonymous says:
    January 3, 2012 at 6:57 pm

    Hi David,

    First, that was not my summary. As the blog entry shows, it was an excerpt from an article published by Fasken Martineau that I had linked to.

    That said, I am happy to post your comments in their entirety so that anyone who may have read the original post can see your correction to it.

    I note that the original Fasken Martineau article does not appear to be available online any more. Did they issue any retraction or apology that I can also link to? If so, please let me know.

  3. Anonymous says:
    January 3, 2012 at 9:48 pm

    HIPAA requires that all EPHI be encrypted, does it not? If records were transported on a USB drive it should have been encrypted or had other form of protection?

    The statement “There is no evidence that anyone ever found the USB key or accessed any of the data on the key after it was lost” means nothing does it not? Wouldn’t the burden of proof be upon the hospital or applicable entity to prove nothing was accessed?

    Please correct me, but I saw nothing saying the USB drive was properly encrypted or protected. I would challenge the hospital to provide the proof, that nothing was accessed.

    Simple adherence to compliance mandates and common security-sense would have prevented this and many other breaches.

    1. Anonymous says:
      January 3, 2012 at 10:41 pm

      HIPAA doesn’t require encryption per se. Even if it did, this is not a U.S. case so HIPAA doesn’t apply. The Canadian counterpart, PHIPA, would apply, and Ontario’s privacy commissioner had previously issued an order about encryption on mobile devices (see this earlier post: http://www.phiprivacy.net/?p=1716).

      If your main point is that the absence of proof is not proof of absence, I’d tend to agree. But in most U.S. courts (which this would not be in), you have to demonstrate actual harm and not just possible or increased risk of harm to prevail. I’m not sure how this plays out in Canada.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.