'Deliberately snooping in someone's record is no less blameworthy than a 'peeping Tom’"
Ontario’s information and privacy commissioner Patricia Kosseim has released an annual report revealing a significant increase in privacy breaches across the province’s public sector, highlighting a growing concern over “snooping” incidents in personal records.
Snooping involves workers accessing sensitive or personal information even though it isn't required or permitted as part of their job.
According to Kosseim’s annual report, snooping cases rose by 34% in 2023 compared to the previous year, with over 10,000 reported breaches overall, said the CBC.
“Voyeurism is a criminal offense, you know, to my mind deliberately snooping in someone’s record is no less blameworthy than a ‘peeping Tom’ peering into someone’s bedroom,” she told CBC Toronto.
The report revealed that self-reported health privacy breaches related to snooping nearly doubled, from 104 in 2019 to 197 in 2023. These breaches pose a significant risk to public trust in the healthcare system, said Kosseim, stating that the confidential relationship between patients and healthcare providers is fundamental.
Update privacy policies, procedures
Hospitals accounted for a significant portion of the reported breaches, with 6,435 incidents occurring in hospital settings in 2023, said the report.
In April, Nova Scotia Health fired one of its workers for inappropriately accessing the personal health information of over 2,000 patients at one hospital.
Last summer, Hamilton Health Sciences (HHS) in Ontario fired eight employees for their role in a privacy breach at the city’s health care system.
Anthony Dale, president and CEO of the Ontario Hospital Association, stated that hospitals have “robust policies” in place and that all staff with access to personal health information undergo annual training. Hospitals are continually working to strengthen policies and procedures through routine monitoring and audits, he added.
To prevent such breaches, Alisha Kapur, an associate lawyer at Rosen Sunshine, recommended regular updates and reviews of policies and procedures, along with comprehensive staff training on safeguarding personal health information.
“There is no use in having strong policies if the staff who have access to personal health information records don’t know what they are required to do to safeguard those records,” she told the CBC.
Misdirected faxes, cyberattacks on the rise
The report also highlighted an increase in misdirected faxes and cyberattacks. Misdirected faxes accounted for just over half of all health privacy breaches, with 5,093 incidents reported in 2023, up 10% from the previous year, according to CBC News.
Cyberattacks nearly doubled in 2023, affecting a wide range of public sector entities, including municipalities, universities, school boards, and hospitals.
“It’s a big issue and it’s one that has governments, organizations, and regulators like my office all trying to curb this horrible trend of rising cyberattacks, including ransomware, which wreaks havoc on everybody’s lives and really undermines the integrity of our digital systems,” Kosseim told the CBC.
In response, Ontario’s minister of public and business service delivery introduced Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act. If enacted, the bill would mandate that all provincial ministries, departments, and agencies report privacy breaches to Kosseim’s office. Currently, only the health and children and youth sectors are required to do so by law, said the CBC.
The bill was last debated at Queen’s Park on May 28, with further debate expected in the fall.
