Whistleblowers allege U of T data project collected 600K patient records without consent | 24CA News

Ontario’s privateness commissioner is investigating a sweeping knowledge mission on the University of Toronto that’s alleged to have collected over 600,000 digital medical information with out affected person consent or data.

Filed final summer time by a bunch of involved docs within the GTA, a privateness criticism alleges the University of Toronto Practice-Based Research Network, a decade-old mission identified by the futuristic acronym UTOPIAN, has collected complete medical information (EMRs) from over 1,400 household physicians as a part of a “massive data grab.”

Researchers with UTOPIAN requested household docs to submit complete affected person charts beneath the “guise” of a analysis research, in keeping with the criticism. The mission has collected effectively over 613,000 EMRs.

Data extracted from the medical information is de-identified, which means that data is stripped of some “direct identifiers” like names and addresses. It is subsequently transferred to the safe UTOPIAN Data Safe Haven server.

Access to that big database is then bought or shared with researchers and different “third parties,” in keeping with a duplicate of the criticism obtained by Global News.

The knowledge is shared with the Canadian Primary Care Sentinel Surveillance Network (CPCSSN), Institute for Clinical Evaluative Sciences (ICES), Diabetes Canada and “other prescribed entities,” in keeping with UTOPIAN’s web site. Global News requested for additional particulars on how this affected person knowledge is shared however didn’t obtain a solution.

2:21
Increasing concern about cyberattacks in Canada

The University of Toronto pushed again towards the allegations, saying at no time is the info “sold.” According to their web site, all initiatives UTOPIAN helps are accredited by a analysis ethics board.

The involved docs say the U of T mission has damaged Ontario’s privateness legal guidelines and violated affected person belief. They additionally insist there’s little transparency about how confidential affected person data is being dealt with or shared.

“Patients were not afforded any real opportunity to withdraw from participation and recover their private medical information,”  reads a duplicate of the criticism. “They were completely unaware (and remain unaware) that this was even happening … Many, if not the majority, of patients, would be outraged if they found out that this has happened.”

Dr. Michelle Greiver, who leads UTOPIAN, declined a request for an interview.

After Global News despatched an in depth record of questions concerning the knowledge mission, this system introduced final week that it was “pausing” sure actions, together with amassing, utilizing or transferring knowledge.

Leading privateness and well being specialists say the criticism filed towards UTOPIAN shines a highlight on a rising, contentious debate between the necessity for higher public-health knowledge, particularly throughout a pandemic, and defending the privateness rights of sufferers. The knowledge is at the moment getting used to fund analysis into diabetes, despair, and coverings for Alzheimer’s.

Experts even have considerations that some figuring out data left within the digital medical information, resembling gender and postal codes, might doubtlessly go away sufferers open to being re-identified when matched with different public knowledge units.

“The counterbalance to having these lakes of incredibly valuable data is that you need to have privacy and security measures in place to ensure that there isn’t abuse or misuse of the data,” mentioned Theresa Scassa, a professor and Canada Research Chair in Information Law and Policy on the University of Ottawa.

“There need to be safeguards in place, and there needs to be oversight.”

The knowledge UTOPIAN has collected from affected person charts contains names, dates of beginning, health-card numbers, contact data, medical, psychiatric, and substance use histories amongst different non-public well being knowledge, in keeping with a duplicate of the criticism obtained by Global News.

Patient bank card data has additionally been gathered, the criticism mentioned. Often used to pay for companies not coated by Ontario Health Insurance Plan, bank card numbers can find yourself in an EMR.

Ontario’s Privacy Commissioner Patricia Kosseim mentioned in an announcement {that a} “review of this case is still ongoing,” however couldn’t present a timeline on when the investigation could be full.

And whereas there are expectations beneath the province’s Personal Health Information Protection Act that enable this non-public medical data to be collected with out consent for analysis, the criticism mentioned that standards hasn’t been met.

“Taking private and confidential medical data to simply populate another corporate entity’s privately-owned database is not research,” the criticism reads.

The University of Toronto declined to reply an in depth record of questions on how UTOPIAN collects, shops and shares affected person knowledge.

A spokesperson with the University of Toronto’s Temerty Faculty of Medicine mentioned it’s conscious of a criticism filed to the privateness commissioner.

“We are working with the IPC to address its questions stemming from the complaint,” a spokesperson mentioned in an announcement.

The spokesperson mentioned the affected person knowledge is “stored on servers at a high-security computing facility” and is just accessed by “authorized personnel working within this secure environment.”

“There has been no unauthorized data access or disclosure to third parties,” the assertion mentioned.

2:06
Code Blue: Can digital well being care ease Canada’s ER disaster?

Patients have been left fully at nighttime, the criticism alleges, with no conversations, emails or waivers advising them that UTOPIA is downloading their full medical chart.

UTOPIAN does present an 8 x 11 text-heavy poster, which is meant to be displayed in an workplace. It explains what the mission does, however doesn’t explicitly inform the reader their data is being taken.

“When you go to the doctor you’re feeling miserable, you’ve got a fever, you’re in pain, are you going to stand and read something posted on the wall somewhere? Are you going to notice it’s there?” Scassa mentioned.

One of the docs who helped file the criticism mentioned they weren’t given the complete story earlier than signing over affected person knowledge.

“There was no process to really sit us down and explain what was going on,” mentioned the physician, who spoke on situation of not being named for worry of reprisal within the office. “Patients don’t know that it’s happening. They weren’t asked before, and they’re not being asked now. They did it in a sneaky, underhanded way.”

The investigation by Ontario’s privateness commissioner into UTOPIAN additionally comes as hospitals and different elements of Canada’s overstretched health-care system have been hit by ransomware assaults.

Toronto’s Hospital for Sick Children was not too long ago focused, and Newfoundland and Labrador’s largest well being authority, Eastern Health, was hit by an enormous ransomware assault in 2021 that uncovered the non-public knowledge of 58,200 sufferers.

One cyber safety professional mentioned well being knowledge initiatives, like UTOPIAN, might turn out to be rising targets for ransomware assaults.

“Health-care networks, as well as our research environments, are mainline targets for many of our adversaries, including China and Russia,” mentioned Christopher Parsons, a former senior analysis affiliate on the Munk School’s Citizen Lab on the University of Toronto.

“We know they’re being targeted on a regular basis, and the attacks are actually successful, as we’re seeing in headlines that come out every day.”

Global interviewed Parsons earlier in January. He has since taken a job with the Office of the Information and Privacy Commissioner.

How UTOPIAN works

Electronic medical information include a affected person’s most non-public data.

Complete private and household medical histories, vaccine information, psychological well being and counselling background, and medicine lists are among the many many knowledge factors that assist fill out the medical portrait of an individual’s life and interplay with the health-care system.

Access to this type of knowledge is invaluable to lecturers, who can use it to conduct doubtlessly life-saving analysis, together with persistent illness, hypertension, and the way adults or youngsters entry household docs.

In an obvious absence of this centralized, primary-care knowledge in Ontario, the concept of UTOPIAN was born in 2013.

1:30
Privacy watchdog investigates PHAC’s use of Canadians’ cellphone location knowledge

The mission, headed by Dr. Greiver, was designed as a “living laboratory,” in keeping with its web site, the place taking part household docs submit their sufferers’ full medical information for “high-quality research.”

Researchers pays to entry the de-identified knowledge.

The mission has each an government committee and a scientific advisory committee, which incorporates “patient representatives,” the University of Toronto says on its web site.

It has now turn out to be  one of many “largest and most representative primary-care research networks in North America, and amongst the largest in the world.”

Close to 2 million affected person information

The community now feeds into an excellent bigger data-sharing mission referred to as Primary Care Ontario Practice-based Learning and Research Network (POPLAR), which can also be led by Dr. Greiver, in keeping with the criticism.

First launched in 2020, POPLAR collects knowledge from six different universities and the Alliance for Healthier Communities. Participating universities embody the University of Ottawa, McMaster University in Hamilton, Western University in London and Queen’s University in Kingston.

It was round this time that docs, who had already handed over their sufferers’ knowledge to UTOPIAN, started to boost considerations concerning the bigger knowledge mission.

“This signalled a significant broadening in the scope of confidential information UTOPIAN/POPLAR would take, and to whom it would make that data available,” in keeping with the criticism.

“UTOPIAN/POPLAR would now be downloading the entirety of the patients’ charts.”

The bigger knowledge work, POPLAR, has collected over 1.8 million digital medical information, in keeping with the web site.

It’s unclear what number of sufferers have been made conscious their data is being accessed.

The University of Toronto and Dr. Greiver didn’t reply to an inventory of questions on POPLAR. Global News additionally reached out to all college well being departments for remark about how the info is gathered, saved and accessed.

None responded.

The want for higher well being knowledge

Dr. Rita McCracken, a household doctor in Vancouver and researcher on the University of British Columbia, mentioned the breadth of this knowledge is “absolutely essential” to enhance Canadian well being care.

McCracken is one in all tons of of docs throughout the nation who participates in The Canadian Primary Care Sentinel Surveillance Network, which additionally collects de-identified affected person knowledge for well being analysis and illness surveillance.

“There have been some really important discoveries, especially around diabetes care, hypertension care, that these data sets have allowed us to do,” she mentioned.

However, not like UTOPIAN, McCraken mentioned her workplace sends emails and fingers out letters to tell folks their knowledge is being collected. A 4 ft. by 3 ft. poster can also be positioned within the ready room informing sufferers of this system.

Anyone who doesn’t need to take part can ask to have their data withdrawn from CPSSN, she mentioned.

For McCracken, her worry is the transfer by bigger, non-public firms into the business of digital medical information, like Telus Health. The firm additionally expanded into different companies, together with digital care, well being advantages administration, and e-prescribing.

“That seems to be the way bigger concern than a group of [researchers] who only want to do the very best thing [for patients],” she mentioned.

1:44
Cyber safety specialists say ransomware knowledge breach in well being care sector is a lesson for everybody

UTOPIAN states that anybody can “opt-out” and have their data withdrawn from the info platform.

But how can a affected person who doesn’t know they’ve had their knowledge collected choose out? It’s a difficult moral query, say privateness specialists like Scassa.

A mannequin primarily based on specific consent the place sufferers selected to “opt-in” can create “uneven, unrepresentative, incomplete” knowledge units, mentioned Scassa, a number one professional on privateness and knowledge governance.

“But if opt-out is going to be meaningful, you have to know about it,” she mentioned.

The involved docs are calling on the important thing leaders of UTOPIAN to challenge a public apology and work with docs to acquire “fresh consent” from sufferers transferring ahead.

“Research products based on these ill-gotten data themselves become tainted,” the criticism reads. “This [research] exception simply does not properly apply here. Direct consent from each patient was required and not obtained.”