In 2019, Lifelabs, Canada’s largest provider of general diagnostic and specialty testing services, experienced a cyberattack, which compromised the health information of 15 million customers in British Columbia and Ontario. Lifelabs had to make a payment to the perpetrators to negotiate the retrieval of the information, and is now facing a class-action lawsuit settlement. In October 2023, another cyberattack halted services in five hospitals in Windsor, Ontario; the full extent of the impact on patient data is being investigated. In January 2023, the clinical research group, University of Toronto Practice-Based Research Network (UTOPIAN), was criticized for the lack of informed patient knowledge, consent, and transparency during the acquisition of 600,000 full patient records provided by over 1400 family physicians.

These examples raise awareness to the ethical collection and protection of our health data. As we navigate through the Digital Age in the 21st century, dissemination and privacy of our health data are at the forefront of public inquiry and improvement. Creating databases containing patient electronic health records (EHRs) ideally eases transfer of patient information between health care providers and prevents repetitive prescriptions, medical examinations, and error. While efforts to amalgamate digitalized patient data had been hindered by poor management, and is limited to systems within the province/territory, new efforts will bridge institutions nationally and internationally. For instance, the federal government’s proposed plan of the Shared-Pan Canadian Interoperability Roadmap intends to build a secure, digital system that would facilitate patient EHR transfers across the country.

Researchers have also benefitted from the wealth of information harvested from collaborative institutions sharing patient databases. Non-profit organizations, such as the Institute for Clinical Evaluative Sciences (ICES), which is supported by the Ontario Ministry of Health and Long-Term Care, garner information from a large health data repository containing records since 1986. The collected data, which includes population-based health surveys and EHRs of an estimated 13 million Ontarians to date, supports research projects that align with improving the efficiency and effectiveness of Ontario’s health care system and study of chronic diseases. The recent COVID-19 pandemic stimulated international research collaborations. The Coalition for Epidemic Preparedness Innovations (CEPI)’s Centralized Laboratory Network (CLN), consists of ten laboratories, including one in Canada, that aims to facilitate the transfer of patient information, knowledge, and technologies (e.g. for vaccine development).

The convenience and comprehensiveness of these databases unfortunately might make them attractive targets for ransomware attacks or misuse. In Ontario, the Personal Health Information Protection Act (PHIPA) works to define the conditions in which health information can be collected, used, and disclosed. This legislation is enforced by the Information and Privacy Commissioner of Ontario. Organizations, such as ICES, must regularly apply for the privilege to access health information in digital repositories.

Canadian Institutes of Health Research and other similar agencies have recommended some best practices for researchers to follow when collecting participant data. These include: 1) justifying the use of participant data, 2) limiting the amount of personal data that is collected, 3) de-identifying the participant by assigning participant “codes” that limited members of the research team (i.e. senior members) can access, and 4) regular research ethic board approvals and audits. Researchers must also disclose the type of data that is collected, be clear about the retention period of the collected data, and state whether there are policies in place to protect that data. Patients should be given sufficient information to decide if they would like to opt out of providing their confidential health information. At many research institutes, steps are being implemented to avoid accidental disclosure and mishandling of patient information. For instance, employees may sign a confidentiality letter prior to their start in the workplace, take annual refresher courses on privacy, and in some cases, implement random audits of EHR access.

Establishing public trust is critical to encourage individuals to voluntarily provide their health information that would support the scientific community. Moving forward, it would be in all in our best interests, regardless as a study participant, a health care provider, or a researcher, to understand how this data should be ethically utilized and protected.


Works Cited

LifeLabs pays ransom after cyberattack exposes information of 15 million customers in B.C. and Ontario. (2019, December 18). CBC. https://www.cbc.ca/news/canada/british-columbia/lifelabs-cyberattack-15-million-1.5399577

Hospitals affected by cyberattack say stolen patient data may be publicized. (2023, October 31). Windsor. https://windsor.ctvnews.ca/hospitals-affected-by-cyberattack-say-stolen-patient-data-may-be-publicized-1.6624689

Whistleblowers allege U of T data project collected 600K patient records without consent | Globalnews.ca. (n.d.). Global News. https://globalnews.ca/news/9428080/university-of-toronto-medical-records-data-project-ontario-privacy-complaint/

What’s an EHR? | eHealth Ontario | It’s Working For You. (n.d.). EHealth Ontario. Retrieved November 24, 2023, from https://ehealthontario.on.ca/en/patients-and-families/ehrs-explained#:~:text=eHealth%20Ontario%20has%20built%20the

EHealth scandal a $1B waste: auditor | CBC News. (n.d.). CBC. https://www.cbc.ca/news/canada/toronto/ehealth-scandal-a-1b-waste-auditor-1.808640

Government of Canada. (2023, April 4). Canada’s health care system. Canada.ca. https://www.canada.ca/en/health-canada/services/canada-health-care-system.html

Canada, H. (2023, May 29). Advancing on our Shared Priority of Connecting You to Modern Health Care. www.canada.ca. https://www.canada.ca/en/health-canada/news/2023/05/advancing-on-our-shared-priority-of-connecting-you-to-modern-health-care.html

ICES | About Us | Community of Research, Data & Clinical Experts. (n.d.). ICES. Retrieved November 26, 2023, from https://www.ices.on.ca/our-organization/

Kumar, A., Bernasconi, V., Manak, M., de Almeida Aranha, A. P., & Kristiansen, P. A. (2021). The CEPI centralised laboratory network: supporting COVID-19 vaccine development. The Lancet397(10290), 2148–2149. https://doi.org/10.1016/s0140-6736(21)00982-x

Protecting Personal Information: PIPEDA vs PHIPA vs HIPAA | Protecting Personal Information: PIPEDA vs PHIPA vs HIPAA | iPlum. (n.d.). www.iplum.com. https://www.iplum.com/blog/protecting-personal-information-pipeda-vs-phipa-vs-hipaa#:~:text=While%20HIPAA%20primarily%20concerns%20the

IPC Strategic Priorities 2021-2025 – Final Report. IPC. Retrieved November 26, 2023, from https://www.ipc.on.ca/about-us/ipc-strategic-priorities-2021-2025-final-report/

CIHR Best Practices for Protecting Privacy in Health Research. (n.d.). https://cihr-irsc.gc.ca/e/documents/et_pbp_nov05_sept2005_e.pdf

Previous post Letter from the Editors – Volume 11 Issue 3, 2024
Next post Smallpox Eradication: a Show of Worldwide Collaborative Brilliance

Leave a Reply

Your email address will not be published. Required fields are marked *

Close

Feed currently unavailable. Check us out on Twitter @immpressmag for more.


Sponsors