I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: New class action certified in Ontario after privacy breach at a hospital

Posted by

Just when you thought it was safe … a new class action was recently certified after a health privacy breach at a hospital in Ontario. Here’s what every health Privacy Officer needs to know.

Stewart v. Demme and William Osler Health System (2020)

“The central question … is whether a privacy violation can be “highly offensive” and actionable even if it is fleeting and causes no harm.”

That is the court’s opening statement in its decision.

The answer is probably, yes. At least the court is willing to find out more.


A nurse stole more than 20,000 Percocet pills (opioids) over a nine-year period of working in a hospital. To do so, she had to look at the medical records of more than 11,000 patients to obtain active patient names she could enter into the medication system to open the medication drawers.

It is alleged that her viewing of the paper and electronic health information systems was fleeting. It took her fewer than 60 seconds to look in a record to get a name of an active patient.

Some affected individuals were patients on the floor where she worked in the hospital. Others were not. It is alleged she was not viewing the records to provide clinical services – she did so to steal medication. There was no evidence that she read through the records of health information out of general curiosity or to learn about any particular individual. It is alleged she did so to obtain enough information to assist her to gain access to the controlled substances and override the security precautions of the hospital’s controlled medication systems.

When her activity was discovered, the nurse was fired from her job at the hospital, criminally convicted of theft and she lost her license to practice nursing.

The Law

Is it a privacy breach if someone views a record quickly?

If it is a privacy breach, should there be compensation to affected individuals?

The court is willing to find out the answers to these questions.

In this recent case, the hospital and nurse did not persuade the court to dismiss the action against them for “intrusion upon seclusion”.  This case will go forward on its merits as a class action. We will have to wait and see the outcome.

The tort of intrusion upon seclusion first came to Ontario in the case of Jones v. Tsige in 2012. We now have a three-part test to establish this cause of action:

  1. the defendant’s conduct must be intentional (including recklessness)
  2. the defendant had to have invaded the plaintiff’s private affairs or concerns without lawful justification
  3. the intrusion would be highly offensive to a reasonable person (causing distress, humiliation or anguish).

Affected individuals can now go to court to be compensated for this type of breach of privacy.

In Stewart v. Demme, the court said that the first two components of intrusion upon seclusion are not disputed: (1) the nurse’s actions were intentional; and (2) the information she looked at in the patients’ health records was private and she did not have authority to view those records as part of her job.  The issue to be decided is whether the third part of the test can be established – whether the intrusion would be highly offensive to a reasonable person.

The hospital and the nurse argued that a fleeting look at health records is not “highly offensive” and should not entitle the affected patients to be paid. They argued the patients were not harmed and the privacy breach was minimal.

The court did not agree and permitted the class action to proceed.

Messages for Privacy Officers

I get asked from time to time by health Privacy Officers whether viewing a health record for mere seconds counts as a privacy breach. The issue usually arises in snooping cases where an audit of electronic systems captures that a staff member viewed a patient’s health record (or many health records) for seconds.

Count to yourself – 1 one thousand – 2 one thousand – 3 one thousand – 4 one thousand – 5 one thousand – 6 one thousand – 7 one thousand – 8 one thousand – 9 one thousand – 10 one thousand.

If you know what you are doing in an electronic system, how much can you read and learn in 10 seconds?

A lot.

You can learn someone’s diagnosis.

You can read that someone has been referred for a particular procedure or consultation.

With a few more seconds, you can read a whole note of their counseling session.

This case of Stewart v. Demme teaches health Privacy Officers to double down on privacy training and auditing electronic information systems for unauthorized use and disclosure.  You must teach your staff that they should not view any records of patients unless they need to do so for their authorized role. If they need information to provide care – they must look at records. If it is part of their job to engage in quality improvement activities – they must look at records.  But they must never view health records out of curiosity or for personal benefit let alone as part of a criminal act.

Stay tuned!

If you enjoyed this article please share it:

Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
starts March 2024

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2024

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2024 program is now live.
Full details of the 2024 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2024

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557