A Mississauga woman alleges her own sister snooped on her private health records, launching a proposed class-action lawsuit and investigations by the local hospital network and Ontario privacy commissioner.

In a statement of claim filed in Superior Court last week, Katie Mallinson, 41, accuses her sister of a “serious and prolonged invasion” of her privacy, allegedly committed by accessing personal health records via a hospital channel at the ophthalmology office where she has worked for more than a decade. Mallinson told the Star she was never a patient at that office, but rather frequented the nearby Credit Valley Hospital, which shares patient records with the ophthalmology practice.

Mallinson believes her sister, Milton resident Lisa Lyons, “improperly accessed” personal information as her “principal pastime” at work, according to the statement of claim.

The hospital has confirmed that its own internal investigation found six patients’ files, including Mallinson’s, had been breached, and all had been notified.

With “unfettered access” to the records of all three Trillium Health Partners hospitals in Mississauga, including Credit Valley, Mallinson’s sister could have accessed the files of potentially thousands of patients, the statement of claim says.

The proposed class action claims Mallinson and others affected are owed at least $3 million in damages. Trillium Health Partners and Dr. Antonio “Tony” Vettese, the ophthalmologist for whom Lyons works, are also named as defendants.

The lawsuit alleges Vettese “enabled and facilitated” the alleged privacy breaches because “such behaviour occurred in his professional premises, using his equipment, during working hours.”

Mallinson is the only plaintiff included in the lawsuit so far, her lawyer, Christopher Du Vernet, told the Star. The statement of claim says “several other” patients have received letters telling them their records were improperly accessed.

None of the allegations has been proven in court and no statement of defence has been filed.

“It’s not revenge; it’s nothing like that. It’s been gut-wrenching, and it’s been really hard,” Mallinson told the Star in an interview about the lawsuit.

“If she’s going to do this to a family member, what would stop her doing this to a stranger? I’ve cried and I’ve had a lot of anxiety,” she said. “This is an outside doctor’s office that has had access to the hospital (records)… You go to a hospital and see a specialist for help, and you know what? You should feel safe and secure that someone is not reading your records.”

The Star was unable to reach Vettese on Wednesday. Lyons declined to comment.

The Office of the Information and Privacy Commissioner of Ontario confirmed Wednesday that an investigation is continuing.

It is not clear whether Lyons still works at Vettese’s office.

In a May 26 letter to Mallinson provided to the Star, Trillium Health Partners security and privacy officer David Dowe confirmed there was a privacy breach involving “an individual” in Dr. Vettese’s office. Dowe wrote that an internal investigation found 40 instances where Mallinson’s records were accessed, going back more than four years.

Trillium Health Partners would not confirm to the Star whether that “individual” was Lyons.

In an emailed statement responding to the Star’s questions Wednesday, Trillium Health spokesperson Catherine Pringle said the hospital’s investigation identified and notified six patients, including Mallinson, whose files had been breached. Pringle said the individual who accessed those records, who is not a Trillium Health employee, has since been denied access to the records system.

The organization is also implementing more frequent audits of its physician access system — Trillium does more than 1,000 random checks on people with access every year — and has written a letter to doctors and their staff reminding them to obey the rules on medical records privacy as outlined in provincial legislation, Pringle said.

There are 1,240 physicians with credentials at Trillium Health hospitals whose offices have access to their patient records.

Such records could include the patient’s name, health card number, address and contact information, medical history including physical and psychiatric conditions, as well as insurance and treatment details, the statement of claim alleges.

Loading... Loading... Loading... Loading... Loading... Loading...

“We take this matter extremely seriously and are taking all necessary steps to ensure a resolution that protects the interests of our patients, their families and our community,” Pringle said.

She added that, by law, doctors and their staff are allowed to look only at the records of patients in their care.

Speaking with the Star by phone, Mallinson said her sister, Lyons, has worked at Vettese’s office about 30 years. She is now estranged from her sister, who she said is eight years older.

Mallinson said she became suspicious when her teenage son was texting her sister before a family event, and Lyons apparently mentioned in a message something specific about Mallinson’s health that she shouldn’t have known.

“It was a shock,” she said. “You feel violated. You feel sick. All in all, it’s a family member and you feel nauseous.”

She told the Starshe reached out to her hospital, which responded May 26 with Dowe’s letter. As to her decision to pursue legal action, Mallinson said she wanted to make sure anyone else who’d had their records breached would know and be able to seek justice.

“She (Lyons) never tried to reach out to me. The doctor never tried to reach to me,” Mallinson said. “I never got an apology.”

There have been several prominent privacy breaches in Ontario hospitals in recent years.

Last month,two workers at Princess Margaret hospital in Toronto were convicted of snooping into former mayor Rob Ford’s medical records during his cancer treatment. They were each fined $2,505, according to court records.

Mallinson’s lawyer, Christopher Du Vernet, argued that his client’s case demonstrates there should be tighter rules about access to hospital records.

“It’s just the virtual absence of an effective system of checks and balances,” he said.

“While this woman may have a PhD in snooping, she is not a doctor.”