a hand holding a guitar

Insights

ARTICLE

Court certifies class action against health authority arising from employee snooping into medical records

Introduction

Over the last several years, a number of privacy class action certification decisions have been favourable to defendants.1 However, in Welshman v Central Regional Health Authority, 2024 NLSC 35, the Newfoundland and Labrador Supreme Court rejected all of the defendant’s arguments at the preliminary stage of certification, leaving them to be decided by the trial judge.

Background

In two separate but similar incidents, one or more rogue employees of the defendant Health Authority wrongfully accessed the private medical information of 260 individuals. The plaintiffs allege to have suffered from, inter alia, distress, humiliation, anger, upset, mental anguish, shock and fear of identity theft. The plaintiffs advance claims under Newfoundland and Labrador’s Privacy Act, intrusion upon seclusion, negligence and breach of contract.

Decision

The court certified the class action, considering itself bound by a 2014 decision of the NLSC in a similar case, Hynes v Western Regional Health Authority.2

Statutory privacy tort and intrusion upon seclusion

Like in Hynes, the court certified the statutory privacy tort on the basis that it is not plain and obvious that this claim would fail. The court held that whether the Health Authority itself could be found to have acted “wilfully” and “without colour of right” as provided under the province’s Privacy Act — and therefore potentially attract direct liability—should not be decided at the certification stage but is rather an issue to be determined at trial. Similarly, the court found that whether the Health Authority could be vicariously liable for the actions of its employee for breach of the Privacy Act should be decided at trial.

The court also certified the claim based on the tort of intrusion upon seclusion, noting that Newfoundland and Labrador’s Privacy Act specifically states that the statutory privacy tort does not derogate from any other right or remedy available at common law — an issue that remains under debate in other provinces with differing legislation.

It is hard to reconcile the Welshman decision on the issue of direct liability with the findings of the Court of Appeal for Ontario in Owsianik v Equifax Canada Co.3 That decision found that a data custodian cannot be held directly liable for intentional privacy torts committed by a third party, although a data custodian could still be sued under negligence for failure to take reasonable steps to protect the data.

Negligence

The court found that the private information at issue is more sensitive than the information in a number of other privacy class actions considered by Canadian courts, and consequently, that it could be possible at trial for some class members to prove the type of serious and prolonged psychological harms that meet the threshold for compensable damages.4 As such, the court found that the issue of damages should be determined at trial.

The court rejected the defendant’s argument that the plaintiffs must prove at certification that aggregate damages are appropriate, instead finding that aggregate damages are not required for certification. Rather, the assessment and appropriateness of aggregate damages can be left to the trial judge.

Breach of contract

The court certified the breach of contract claim, departing from Ontario’s jurisprudence on this point in the healthcare context. In the Broutzas v Rouge Valley Health System decision, the Ontario Superior Court held that it was “plain and obvious” that the relationship between patients and hospitals is not contractual in nature. In that case, the court held that it would be an “artifice” to accept the argument that hospital privacy policies or patient admission forms could form the basis of an implied contract with implied terms between the hospital and its patients with respect to the protection of personal health information.5 

In Welshman, the court held that it was bound by the principles of judicial comity and stare decisis to follow the 2014 Hynes decision from Newfoundland and Labrador, which recognized the possibility that a hospital could be liable in contact for breach of privacy. While establishing an implied or good faith contract claim may ultimately prove unsuccessful, the court found that the case law in Newfoundland and Labrador does not wholly preclude it.

Takeaways

  • In the context of a privacy breach, the sensitivity of the information at issue can impact how courts apply the “plain and obvious” analysis for the first criterion of the class action certification test.
  • The law regarding whether it is “plain and obvious” that a hospital or health authority cannot be sued for breach of contract in the context of a privacy breach may differ from province to province and may attract the attention of appellate courts.
  • While many decisions arising out of privacy breach class actions have recently favoured defendants, the certification threshold is low, and some plaintiffs will be able to satisfy it. 

For more information on the potential impact of this decision, or on privacy class actions in the healthcare context more generally, please reach out to any of the key contacts listed below.


1 See e.g., BLG’s bulletins on Broutzas v RVHS; Del Giudice v Thompson; Oswianik v Equifax Canada Co, Obodo v Trans Union of Canada, Inc, and Winder v Marriott International, Inc.
2 2014 NLTD(G) 137.
3 2022 ONCA 813
4 2008 SCC 27.
5 2018 ONSC 6315 at paras 216-217.

Key Contacts