Ontario’s privacy commissioner is investigating a sweeping data project at the University of Toronto that is alleged to have collected over 600,000 electronic medical records without patient consent or knowledge.
Filed last summer by a group of concerned doctors in the GTA, a privacy complaint alleges the University of Toronto Practice-Based Research Network, a decade-old project known by the futuristic acronym UTOPIAN, has collected full electronic medical records (EMRs) from over 1,400 family physicians as part of a “massive data grab.”
Researchers with UTOPIAN asked family doctors to submit entire patient charts under the “guise” of a research study, according to the complaint. The project has collected well over 613,000 EMRs.
Data extracted from the medical records is de-identified, meaning that information is stripped of some “direct identifiers” like names and addresses. It is subsequently transferred to the secure UTOPIAN Data Safe Haven server.
Access to that giant database is then sold or shared with researchers and other “third parties,” according to a copy of the complaint obtained by Global News.
The data is shared with the Canadian Primary Care Sentinel Surveillance Network (CPCSSN), Institute for Clinical Evaluative Sciences (ICES), Diabetes Canada and “other prescribed entities,” according to UTOPIAN’s website. Global News asked for further details on how this patient data is shared but didn’t receive an answer.
Increasing concern about cyberattacks in Canada
The University of Toronto pushed back against the allegations, saying at no time is the data “sold.” According to their website, all projects UTOPIAN supports are approved by a research ethics board.
The concerned doctors say the U of T project has broken Ontario’s privacy laws and violated patient trust. They also insist there is little transparency about how confidential patient information is being handled or shared.
“Patients were not afforded any real opportunity to withdraw from participation and recover their private medical information,” reads a copy of the complaint. “They were completely unaware (and remain unaware) that this was even happening … Many, if not the majority, of patients, would be outraged if they found out that this has happened.”
Dr. Michelle Greiver, who leads UTOPIAN, declined a request for an interview.
After Global News sent a detailed list of questions about the data project, the program announced last week that it was “pausing” certain activities, including collecting, using or transferring data.
Leading privacy and health experts say the complaint filed against UTOPIAN shines a spotlight on a growing, contentious debate between the need for better public-health data, especially during a pandemic, and protecting the privacy rights of patients. The data is currently being used to fund research into diabetes, depression, and treatments for Alzheimer’s.
Experts also have concerns that some identifying information left in the electronic medical records, such as gender and postal codes, could potentially leave patients open to being re-identified when matched with other public data sets.
“The counterbalance to having these lakes of incredibly valuable data is that you need to have privacy and security measures in place to ensure that there isn’t abuse or misuse of the data,” said Teresa Scassa, a professor and Canada Research Chair in Information Law and Policy at the University of Ottawa.
“There need to be safeguards in place, and there needs to be oversight.”
Why are there so many cyberattacks lately?
More than 50,000 Canadians have died from COVID-19 since pandemic began
The data UTOPIAN has collected from patient charts includes names, dates of birth, health-card numbers, contact information, medical, psychiatric, and substance use histories among other private health data, according to a copy of the complaint obtained by Global News.
Patient credit card information has also been gathered, the complaint said. Often used to pay for services not covered by Ontario Health Insurance Plan, credit card numbers can end up in an EMR.
Ontario’s Privacy Commissioner Patricia Kosseim said in a statement that a “review of this case is still ongoing,” but couldn’t provide a timeline on when the investigation might be complete.
And while there are expectations under the province’s Personal Health Information Protection Act that allow this private medical information to be collected without consent for research, the complaint said that criteria hasn’t been met.
“Taking private and confidential medical data to simply populate another corporate entity’s privately-owned database is not research,” the complaint reads.
The University of Toronto declined to answer a detailed list of questions about how UTOPIAN collects, stores and shares patient data.
A spokesperson with the University of Toronto’s Temerty Faculty of Medicine said it is aware of a complaint filed to the privacy commissioner.
“We are working with the IPC to address its questions stemming from the complaint,” a spokesperson said in a statement.
The spokesperson said the patient data is “stored on servers at a high-security computing facility” and is only accessed by “authorized personnel working within this secure environment.”
“There has been no unauthorized data access or disclosure to third parties,” the statement said.
Code Blue: Can virtual health care ease Canada’s ER crisis?
Patients have been left completely in the dark, the complaint alleges, with no conversations, emails or waivers advising them that UTOPIA is downloading their full medical chart.
A rare green comet not seen in 50,000 years is coming. Here’s how Canadians can see it
More than 50,000 Canadians have died from COVID-19 since pandemic began
UTOPIAN does provide an 8 x 11 text-heavy poster, which is supposed to be displayed in an office. It explains what the project does, but doesn’t explicitly inform the reader their information is being taken.
“When you go to the doctor you’re feeling miserable, you’ve got a fever, you’re in pain, are you going to stand and read something posted on the wall somewhere? Are you going to notice it’s there?” Scassa said.
One of the doctors who helped file the complaint said they weren’t given the full story before signing over patient data.
“There was no process to really sit us down and explain what was going on,” said the doctor, who spoke on condition of not being named for fear of reprisal in the workplace. “Patients don’t know that it’s happening. They weren’t asked before, and they’re not being asked now. They did it in a sneaky, underhanded way.”
The investigation by Ontario’s privacy commissioner into UTOPIAN also comes as hospitals and other parts of Canada’s overstretched health-care system have been hit by ransomware attacks.
Toronto’s Hospital for Sick Children was recently targeted, and Newfoundland and Labrador’s largest health authority, Eastern Health, was hit by a massive ransomware attack in 2021 that exposed the private data of 58,200 patients.
State-sponsored actors’ could target Canada’s power grid, intelligence agency warns
U.S. FDA proposes annual COVID-19 vaccinations for most Americans
One cyber security expert said health data projects, like UTOPIAN, could become increasing targets for ransomware attacks.
“Health-care networks, as well as our research environments, are mainline targets for many of our adversaries, including China and Russia,” said Christopher Parsons, a former senior research associate at the Munk School’s Citizen Lab at the University of Toronto.
“We know they’re being targeted on a regular basis, and the attacks are actually successful, as we’re seeing in headlines that come out every day.”
Global interviewed Parsons earlier in January. He has since taken a job with the Office of the Information and Privacy Commissioner.
How UTOPIAN works
Electronic medical records contain a patient’s most private information.
Complete personal and family medical histories, vaccine records, mental health and counselling background, and medication lists are among the many data points that help fill out the medical portrait of a person’s life and interaction with the health-care system.
Access to this kind of data is invaluable to academics, who can use it to conduct potentially life-saving research, including chronic disease, hypertension, and how adults or kids access family doctors.
In an apparent absence of this centralized, primary-care data in Ontario, the idea of UTOPIAN was born in 2013.
Privacy watchdog investigates PHAC’s use of Canadians’ cellphone location data
The project, headed by Dr. Greiver, was designed as a “living laboratory,” according to its website, where participating family doctors submit their patients’ full medical records for “high-quality research.”
Researchers can pay to access the de-identified data.
The project has both an executive committee and a scientific advisory committee, which includes “patient representatives,” the University of Toronto says on its website.
It has now become one of the “largest and most representative primary-care research networks in North America, and amongst the largest in the world.”
Close to 2 million patient records
The network now feeds into an even larger data-sharing project called Primary Care Ontario Practice-based Learning and Research Network (POPLAR), which is also led by Dr. Greiver, according to the complaint.
First launched in 2020, POPLAR collects data from six other universities and the Alliance for Healthier Communities. Participating universities include the University of Ottawa, McMaster University in Hamilton, Western University in London and Queen’s University in Kingston.
It was around this time that doctors, who had already handed over their patients’ data to UTOPIAN, began to raise concerns about the larger data project.
“This signalled a significant broadening in the scope of confidential information UTOPIAN/POPLAR would take, and to whom it would make that data available,” according to the complaint.
“UTOPIAN/POPLAR would now be downloading the entirety of the patients’ charts.”
B.C.’s medical watchdog probing whether TELUS Health program creates ‘two-tiered’ health care
Toxic chemicals in period underwear? What to know as U.S.-based Thinx settles lawsuit
The larger data work, POPLAR, has collected over 1.8 million electronic medical records, according to the website.
It’s unclear how many patients were made aware their information is being accessed.
The University of Toronto and Dr. Greiver did not respond to a list of questions about POPLAR. Global News also reached out to all university health departments for comment about how the data is gathered, stored and accessed.
The need for better health data
Dr. Rita McCracken, a family physician in Vancouver and researcher at the University of British Columbia, said the breadth of this data is “absolutely essential” to improve Canadian health care.
McCracken is one of hundreds of doctors across the country who participates in The Canadian Primary Care Sentinel Surveillance Network, which also collects de-identified patient data for health research and disease surveillance.
“There have been some really important discoveries, especially around diabetes care, hypertension care, that these data sets have allowed us to do,” she said.
However, unlike UTOPIAN, McCraken said her office sends emails and hands out letters to inform people their data is being collected. A 4 ft. by 3 ft. poster is also placed in the waiting room informing patients of the program.
Anyone who doesn’t want to participate can ask to have their information withdrawn from CPSSN, she said.
For McCracken, her fear is the move by larger, private corporations into the business of electronic medical records, like Telus Health. The company also expanded into other services, including virtual care, health benefits management, and e-prescribing.
“That seems to be the way bigger concern than a group of [researchers] who only want to do the very best thing [for patients],” she said.
Cyber security experts say ransomware data breach in health care sector is a lesson for everyone
UTOPIAN states that anyone can “opt-out” and have their information withdrawn from the data platform.
But how can a patient who doesn’t know they’ve had their data collected opt out? It’s a challenging ethical question, say privacy experts like Scassa.
A model based on explicit consent where patients chose to “opt-in” can create “uneven, unrepresentative, incomplete” data sets, said Scassa, a leading expert on privacy and data governance.
“But if opt-out is going to be meaningful, you have to know about it,” she said.
The concerned doctors are calling on the key leaders of UTOPIAN to issue a public apology and work with doctors to obtain “fresh consent” from patients moving forward.
“Research products based on these ill-gotten data themselves become tainted,” the complaint reads. “This [research] exception simply does not properly apply here. Direct consent from each patient was required and not obtained.”