Class action litigation relating to alleged privacy breaches is on the rise in Canada. We have seen numerous class proceedings commenced in the last several years resulting from lost or stolen data. One class proceeding in the health care context – Rowlands v. Durham Region Health et al. – was certified earlier this year by the Ontario Superior Court of Justice. Such cases have many implications for organizations and businesses which collect large amounts of personal information.
The Durham Region Health Decision
In Rowlands v. Durham Region Health, the plaintiffs allege that a nurse employed by the Durham Region Health Department lost a USB thumb drive containing personal and confidential health information of over 83,500 patients. The thumb drive contained unencrypted private patient information relating to H1N1 flu vaccinations received during the period of October 23 to December 15, 2009.
The class action was brought following an investigation and Order by the Ontario Information and Privacy Commissioner, which cited a number of breaches of the Personal Health Information Protection Act (PHIPA) by Durham Region Health in relation to this incident. Section 65(1) of PHIPA permits a party to commence a proceeding for damages for actual harm suffered as a result of a contravention of PHIPA.
The plaintiffs in the class proceeding seek $40 million in damages. One of the main bases for damages in the lawsuit is the risk that the confidential information contained in the USB drive might be used to facilitate identity theft. The action is based in, among other things, negligence and breach of the statutory duty to protect patient information.
The court granted certification of the class proceeding pursuant to section 5 of the Class Proceedings Act, largely with the consent of the defendants. As a result of the defendants' consent to much of what was at issue on the certification motion, the court's reasons in respect of the section 5 certification test are very brief and, therefore, will not likely be of much assistance to parties in future contested certification motions in this area. Notably, however, the court held that without certifying the action as a class proceeding, the class members identified would not reasonably be able to obtain access to justice. The court also found that the defendants were required to pay for the costs of notification of class members and the operation of the opt-out program for class members.
The Aftermath of the Decision: Implications for Businesses and Organizations
While the merits of the lawsuit have yet to be determined, the case has potentially wide ranging implications for healthcare providers (and many other organizations that hold personal information subject to privacy laws). Section 12 of PHIPA imposes a statutory obligation on health information custodians to take steps to ensure that personal health information in the custodian's custody or control is protected against theft, loss and unauthorized use or disclosure. That section also requires health information custodians to contact each individual patient affected directly to inform them of the breach of their personal health information.
Similar privacy claims have also arisen in other contexts outside of the healthcare sector. It remains to be seen what quantum of monetary damages are possible in such cases. While we have yet to see a ruling on damages in the privacy class action context, it may only be a matter of time before we see one. In addition to potential class action litigation, there are also other considerable costs that can arise out of privacy missteps including adverse publicity and loss of reputation, not to mention organizational costs involved in trying to contain a public relations nightmare.
The circumstances that gave rise to this case are common. Numerous other hospitals and health care providers have recently come under fire for privacy related data breaches. Furthermore, studies have shown that there are a staggering amount of USB thumb drives lost each year or left unprotected for others to potentially access or steal confidential information from. This has resulted in millions of dollars lost for businesses and government organizations.
Given the above risks, many organizations are carefully monitoring and assessing the impact of the rise of privacy related class action developments in Canada and abroad.
 See e.g. Sharon Gaudin, "Facebook slapped with class-action privacy lawsuit" Computerworld (July 8, 2010), online; Rob Tripp, "Corrections to pay victims of breach of privacy" The Whig-Standard (July 2010) online
 See e.g.s:
 See generally Robert Shepherd, "Two thirds of businesses have lost data through careless use of USB sticks" Computing.co.uk (August 2, 2011), online