In a story that could have been ripped from the pages of Peyton Place, a Canadian healthcare group is named in a class action suit over what is described as a years long campaign by a medical “Peeping Tom,” who abused her access to patient health records for personal titillation, including her own sister’s information.
Trillium Health Partners, Mississauga Ophthalmologist Dr. Tony Vettese, and his assistant, Lisa Lyons are the targets of a $2 million class action suit filed by a local, Mississauga businesswoman and Trillium patient, Katie Mallinson, who says that Ms. Lyons used her access to Trillium's entire database to secretly review the confidential medical records of Trillium patients for “many years and hundreds of times.” Mallinson was later revealed to be Lyons’ sister.
Lyons is described in the suit as an electronic "Peeping Tom" who “surreptitiously looked into the private lives of her victims, for her own amusement.” Trillium operates three hospitals in the Toronto and Mississauga area, and the hospital whose patients’ data was exposed is not identified, nor is it clear whether Lyons had access to patient records for all of Trillium’s hospitals or just a single facility.
However, the case notes that the privacy office at the hospital in question failed to detect any of Lyons’ misconduct, and only began investigating when Ms. Mallinson reported her own suspicions of it.
Trillium is charged with propagating lax, underfunded and inadequate privacy policies and procedures that gave a low-level employee “unrestricted access to every record of every patient the hospital has ever treated.” Lyons’ boss, Dr. Vettese, also was oblivious to the snooping, leaving “Lyons to her own devices for hours at a time” and spending “neither money nor time protecting the privacy interests of Trillium patients.”
It is unclear whether Lyons’ snooping extended to other patients, though the filing of a class action suit would suggest it did.
Patient privacy violations at the hands of curious medical staff aren’t uncommon. A number of cases have been documented in the U.S., where the HIPAA federal health privacy law prohibits unauthorized access to patient data. Typically, those are cases involving celebrities. Employee firings and disciplinary action resulting from employees accessing the records of Britney Spears, Kim Kardashian and actor George Clooney have all made headlines in recent years. In 2010, UCLA Health System agreed to pay $865,000 in fines to the federal government for HIPAA violations tied to snooping on medical records of two celebrity patients.
But snooping like Lyons’ that is focused on friends, neighbors and loved ones is even more common, if less sensational, and hospitals in the U.S. have taken steps to make it harder to pry, including features in electronic health record systems that note who accessed a record, when and why, and require medical staff to provide a reason for accessing a patient’s medical record.
While the Federal Government is less likely to expend resources chasing down each and every case of snooping, those harmed by such activity can use HIPAA to establish a “standard of care” in cases that allege negligence.
What’s less clear is how this will play out in Canadian courts. That country has no federal health data privacy law and its federal information privacy law, which goes by the acronym PIPEDA, does not apply to non-profit and charitable institutions such as hospitals.
The burden falls then to provincial laws which, in this case, would be Ontario’s Personal Health Information Protection Act of 2004. That law contains rules about who can access a patient’s health record, though it is unclear if Lyons’ pattern of behavior was explicitly illegal, especially given that she was working for a physician and, as such, had legitimate access to patient health information.
It’s worth noting that Trillium also has run afoul of privacy officials before. In 2015, a privacy analyst working for the hospital group was alleged to have asked an employee at an affiliated wellness clinic to withdraw a complaint filed after Trillium mailed the clinic the wrong patient records.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum, a security and Internet of Things event that takes place September 22 in Cambridge, MA.
