Another example of poor data practices in the health sector

September 1, 2015 |

The Toronto Star reports in Hospital clerk pleads guilty to stealing, selling patient records about how a person in a relatively junior position was able to access, download and sell highly confidential personal information held in a hospital data base.  Hospitals are notorious for the poor privacy practices. There is often a lack of implementation of privacy protocols and and poor enforcement of what systems are in place. Poor password protections, access by too many to too many records for tenuous reasons, a failure to detect unauthorised access and general complacency gives rise to regular breaches.

The story provides:

A former Rouge Valley Hospital clerk has pleaded guilty to stealing thousands of patient records and selling them to financial brokers over the course of more than a decade.

Shaida Bandali, 61, who worked at Rouge Valley from 1995-2014, accessed confidential maternity ward records, including the names and contact information of mothers as well as the names and birthdates of their babies, and sold them for between $1 and $2.75 each to salespeople of Registered Education Savings Plans (RESPs), according to an agreed statement of facts read out in court Monday.

While the charge isn’t a criminal offence, Bandali still faces a penalty of up to five years less a day in jail and a fine of up to $5 million for unregistered trading — a breach of the Securities Act.

“Ms Bandali engaged in a prolonged campaign to exploit her employment position to mine for and create investor lists solely for profit,” Ontario Securities Commission prosecutor Cameron Watson said in court.

The OSC estimates that at least 14,450 mothers may have had their confidential patient information stolen. A $412 million class-action lawsuit has since been launched.

The following account is based on an agreed statement of facts read into the court record. Bandali, who admitted to selling names on and off since 2000, was caught in April 2014, when a colleague found maternity records in a photocopier in the cardiac rehabilitation ward of the hospital. Bandali’s name and employee number were noted on them as well as the date and time that she accessed the records.

When confronted by superiors, Bandali told them she had been approached by Poly Edry, a former branch manager at Knowledge First Financial, and said she was paid $1 for each name and phone number of a new mother that she could provide. Edry and her husband, Gavriel, have also been charged under the Securities Act for their involvement. Their case is ongoing.

The OSC Joint Serious Offences Team obtained banking records that indicated Gavriel Edry opened a bank account solely to pay Bandali for the stolen medical records and transferred more than $10,000 to her from April 2012 to June 2014.

There were numerous other cash deposits and bank drafts deposited into Bandali’s account during this time, leading investigators to conclude that she received at least $12,595.75 over the 22 months. Investigators do not know how much money Bandali received in the 12 years prior to the period covered by the seized banking records.

Bandali told OSC investigators that she only provided names to Edry and received only $3,000 for her services.

“Ms Bandali was lying,” said Watson in court. “Throughout her statements, Ms Bandali consistently attempted to minimize her actions and significantly understate the payment that she received.”

According to the statement of facts, Poly Edry told investigators that she started purchasing hospital records from Bandali in 2012 and paid between $2.50 and $2.75 per name, according to the statement of facts. The sales arrangement came to an end in April 2014, when Bandali sent a text to Edry stating simply: “I’m caught.”

Two months later, when the Star revealed the breach, the two had a nine-minute phone call, according to phone records obtained by the OSC.

The OSC has also charged a former assistant branch manager at C.S.T. Consultants Inc., Subramaniam Sulur, for purchasing private medical records from Bandali. Two other people — Esther Cruz, a nurse at Scarborough Hospital, and Nellie Acar, an RESP broker — have been criminally charged in a related case.

Bandali and her lawyer, John Sheard, declined to comment outside court.


One Response to “Another example of poor data practices in the health sector”

  1. Another example of poor data practices in the health sector | Australian Law Blogs

    […] Another example of poor data practices in the health sector […]

Leave a Reply