Ontario’s privacy commissioner is investigating a sweeping data project at the University of Toronto that is alleged to have collected over 600,000 electronic medical records without patient consent or knowledge.
Filed last summer by a group of concerned doctors in the GTA, a privacy complaint alleges the University of Toronto Practice-Based Research Network, a decade-old project known by the futuristic acronym UTOPIAN, has collected full electronic medical records (EMRs) from over 1,400 family physicians as part of a “massive data grab.”
Researchers with UTOPIAN asked family doctors to submit entire patient charts under the “guise” of a research study, according to the complaint. The project has collected well over 613,000 EMRs.
Data extracted from the medical records is de-identified, meaning that information is stripped of some “direct identifiers” like names and addresses. It is subsequently transferred to the secure UTOPIAN Data Safe Haven server.
Access to that giant database is then sold or shared with researchers and other “third parties,” according to a copy of the complaint obtained by Global News.
The data is shared with the Canadian Primary Care Sentinel Surveillance Network (CPCSSN), Institute for Clinical Evaluative Sciences (ICES), Diabetes Canada and “other prescribed entities,” according to UTOPIAN’s website. Global News asked for further details on how this patient data is shared but didn’t receive an answer.
Increasing concern about cyberattacks in Canada
The University of Toronto pushed back against the allegations, saying at no time is the data “sold.” According to their website, all projects UTOPIAN supports are approved by a research ethics board.
The concerned doctors say the U of T project has broken Ontario’s privacy laws and violated patient trust. They also insist there is little transparency about how confidential patient information is being handled or shared.