Privacy & Security

Former hospital employee charged in records breach
December 3, 2014
SCARBOROUGH, Ont. – A former clerk at Rouge Valley Centenary Hospital, just east of Toronto, who is said to have sold the medical records of new mothers to financial companies, has been charged with selling securities without a licence.
The Toronto Star reports the former employee, Shaida Bandali, was charged by the Ontario Securities Commission (OSC) with the “quasi-criminal” offence of “misusing” as many as 8,300 records, mostly of mothers who gave birth between 2009 and 2013.
It’s the first time anyone has been charged in relation to privacy breaches that came to light in recent months at numerous hospitals in the Toronto area.
Bandali, who has not been charged criminally, faces a penalty of up to five years less a day in jail, a fine of up to $5 million or some combination of the two. She is scheduled to appear in court on Dec. 12.
“It’s kind of disturbing that (the company) knew so much information about (my child). They knew a lot of things that they shouldn’t have,” said Bryan Burleigh, whose wife was contacted by a saleswoman only days after giving birth.
“I was recently contacted by another insurance company, so I don’t know if my information was sold to other companies,” he said. “I don’t understand how they would get it, because I don’t have insurance or anything else with that company.”
Bandali’s charges stem from “repeatedly breaching the confidentiality policies of her employer, the Rouge Valley Hospital, by accessing, copying or distributing confidential personal data of maternity patients to one or more Registered Education Savings Plan (RESP) dealer representatives,” the OSC said in a statement.
She is accused of creating investor lists from the stolen records of new mothers, providing them to RESP dealers and receiving payment for this without informing the hospital or the patients, according to the OSC.
When Rouge Valley Hospital discovered the records had been compromised, it sent out letters to the thousands of patients involved and alerted the OSC and the Ontario Privacy Commissioner. But the hospital contacted police only after the Toronto Star exposed the mass privacy breach.
Toronto police spokesperson Const. Jennifer Sidhu confirmed that Bandali wasn’t currently being investigated.
In November, the Star published an article stating that more than 400 health-related privacy violation complaints are lodged each year with the provincial Information and Privacy Commission. But because hospitals are not legally obliged to notify authorities, that total may not include thousands of violations that go unreported every year.
Even ex-Toronto Mayor Rob Ford has fallen victim to a hospital privacy breach. His medical records were inappropriately accessed on two separate occasions after he started receiving treatment for cancer this fall.
Acting Privacy Commissioner Brian Beamish said there should be stiffer penalties for health professionals who break patient confidentiality.
Lawyer Michael Crystal (pictured), who has filed a $412-million class-action lawsuit on behalf of the patients whose privacy was breached, welcomed the securities charges, saying they would help the patients identify the employees and financial companies involved in the scheme.
“At this point in time, we’re very limited in what we can say, but we’re very encouraged by the securities commission investigation … and we hope to be able to fill in the blanks in our pleadings,” Crystal said.