A privacy violation can be “highly offensive” and actionable even if it is fleeting and causes no harm
The dangers inherent in electronic medical records were made apparent in Stewart v. Demme, on the one hand an application for certification of a class action, and on the other an application for summary judgment dismissing the claim. The two defendants in the case were Demme, a nurse, and the hospital at which she had formerly been employed. Over a period of ten years, she stole 23,932 Percocet pills. The method by which she did so was at the heart of the issue of the Plaintiff’s certification as a class action.
In order to acquire the drugs, Demme accessed the individual health records of over 11,000 patients of the hospital. In some cases, she was able to make use of the patient’s paper file, but in many others she used the Meditech database which digitally accessed patients’ records and displayed them on a screen. In either case, she used the information in order to access the hospital’s Automated Dispensing Unit (“ADU”), in order to have a Percocet pill dispensed. Demme testified that in the early years of her thefts she would look to see if the patient was pre-prescribed Percocet and, if not, would move on to another patient. Eventually, however, she began to click on random patients whose names appeared on the ADU screen list as a method of dispensing the pill.
Once these thefts were discovered, the Hospital sent a letter to every patient whose file or digital record was accessed by Demme to provide herself with Percocet, leading to the proposed class action lawsuit. The class sought to be certified to bring actions for intrusion upon seclusion and for negligence, while the defendants resisted both claims. In the end the class was certified to pursue the intrusion upon seclusion claim, but the application judge concluded that a negligence action could not succeed and granted summary judgment in that regard.
In each patient’s file, Demme accessed their information for less than a minute from the same ADU machine (as recorded by the ADU logs). “In effect, Ms. Demme scrolled down the patient list, stopped at any given patient’s name, and clicked on the box designated for the medication that she desired.” Her only motivation for improperly accessing any patient’s records, whether a paper file or a digital one through the ADU, was to obtain drugs (para 16): that is, although she might incidental see private medical information, that was not her goal, nor indeed likely to occur given that she would not want to keep a record open very long. In addition, there was no evidence that any patients’ medication was impacted by Demme’s use of their health records in this way. The purpose of ADU recording was to track the medicine stocks at the Hospital, and these records were not associated with any particular patient, and so when medication is dispensed through the ADU, it is not automatically recorded in the patient’s medical file. Further, the fact that the ADU had dispensed medication did not mean that it would be administered, so there was no evidence of any patient receiving Percocet who ought not to have. By the same token, there was no clear evidence that any patient had ever failed to receive Percocet when they ought to have.
It was largely for those reasons that the negligence action was dismissed: no damage could be shown, other than the purely symbolic harm of the privacy breach, which was not sufficient. However, the application judge did certify the class for a claim based on intrusion upon seclusion. That tort requires in part that there be intentional or reckless conduct by the defendant and that the defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns. Those requirements were clearly met by Demme’s misconduct.
However, in Jones v Tsige, the Ontario Court of Appeal determined that “one who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person”. Both defendants argued that the violation of the class members’ health records was de minimis and not highly offensive,and did not rise to the level required for it to: as counsel for the hospital put it, there was “a very large narcotics theft but a very small privacy invasion” (para 57).
The application judge acknowledged that Demme’s access to any individual file was fleeting, but held that that point should not be overemphasized: “interference with freedom of moment, just like invasion of privacy, must not be trivialized” (para 67). The nature and quality of the information at issue was also relevant: “other hospital procedures – surgery, chemotherapy, psychopharmalogical treatments, etc. – are bound to be rather less shared by patients with the world at large. The Hospital is a uniquely private and confidential institution” (para 66).
The judge did not that “While any intrusion – even a very small one – into a realm as protected as private health information may be considered highly offensive and therefore actionable, the facts do not exactly ‘cry out for a remedy’” (para 72). Nonetheless,
…the Jones reasoning supports the proposition that an infringement of privacy can be “highly offensive” without being otherwise harmful in the sense of leading to substantial damages. The offensiveness is based on the nature of the privacy interest infringed, and not on the magnitude of the infringement.
Accordingly the class was certified.