In Stewart v. Demme, the Ontario Divisional Court (the “Court”) overturned the certification of an intrusion upon seclusion claim in a data breach class action against a hospital, where a nurse used patient health records to steal prescription medication.

Background

This case arose from a decade-long theft of thousands of Percocet pills by a nurse employed by the defendant, William Osler Health System (the “Hospital”). The nurse, who had a drug addiction, improperly accessed the health records of over 11,000 patients for the purpose of obtaining the pills, and not to satisfy any other need for patients’ health information. The Hospital’s records showed that she had accessed each patient’s records for only a few seconds and that this had had no effect on the treatment of the patients.

The Hospital terminated the nurse’s employment upon discovering the theft, of which she was subsequently convicted criminally. After the Hospital contacted the affected patients, this proposed class action was commenced seeking damages for:

1. Negligence, for failing to safeguard private health information; and
2. Intrusion upon seclusion (a tort recognized by the Ontario Court of Appeal in Jones v. Tsige), which requires the plaintiff to demonstrate that:
   1. the defendant’s conduct was intentional or reckless;
   2. the defendant invaded, without lawful justification, the plaintiff’s private affairs; and
   3. a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish.

Certification Decision

While the certification judge held that the elements of negligence were not made out against the Hospital because there was no provable harm, he found that that the plaintiff’s intrusion upon seclusion claim was viable.

Finding that the first two elements of the tort were met – namely, intentional, or reckless conduct, and the unlawful invasion into the patients’ private affairs or concerns – the certification judge held that the “central question of liability” in this case was whether the invasion of the class members’ privacy is “highly offensive”.

While the certification judge noted that the nurse’s access to the patients’ data was fleeting and that the facts of this case “do not exactly cry out for a remedy”, based on his interpretation of Jones, he held that “even a small [intrusion] into a realm as protected as private health information may be considered highly offensive, and therefore, actionable”.

Divisional Court Decision

On appeal, the Divisional Court overturned the certification decision and dismissed the intrusion upon seclusion claim.

The Court held that the certification judge erred in how he interpreted Jones. Notably, the Court held that “not every intrusion into private health information amounts to a basis to sue for the tort of intrusion upon seclusion”. Rather, if the case does not “cry out for a remedy” it should signal that the high standard for certification of the tort may not be met.

The Court emphasized that because the tort of intrusion upon seclusion is a “no actual damages tort” it should only be available for deliberate and significant invasions of personal privacy. Having regard to the facts of this case, the Court held that the certification judge erred in concluding that the claim met the high threshold necessary to disclose a tenable cause of action in intrusion upon seclusion. Specifically, the patient health information accessed was limited and not particularly sensitive in the realm of health information; the access was fleeting and incidental to the medication theft; and there was no discernible effect on the patients.

The Court also noted that the significance of the intrusion must be assessed individually, not collectively. The fact that there were over 11,000 patient intrusions in this case did not mean that each intrusion was significant and highly offensive.

Key Take-Aways

The decision in this appeal underscores:

• The high bar a plaintiff must meet to bring an intrusion upon seclusion claim: not all privacy breaches, even those related to personal health information, rise to the level of tortious intrusions upon seclusion. To the contrary, only deliberate and significant affronts to privacy that are “highly offensive” are actionable on this basis;
• That in making the assessment of whether a breach is “highly offensive”, courts will look to the specific circumstances and context of the case at hand, including the nature and sensitivity of the information accessed, the defendant’s motives and the actual impact on affected individuals. If the facts of the case don’t “cry out for a remedy”, it may be a sign that the high standard for certification of the tort has not been met; and
• That the significance of a breach is to be assessed individually, rather than collectively. Even though the many breaches that occurred might collectively have been considered a serious privacy incident by the Hospital, it did not follow that each individual breach was significant and highly offensive.