A Vancouver-based HIV/AIDS organization is facing a class-action suit for breach of privacy after an alleged release of email addresses of 800 of its members via a September 2016 mass email.
And, said a BC Supreme Court ruling released May 1, a staff member of Positive Living BC had warned the organization poor data-control practices were going to eventually create problems.
B.C.’s Office of the Information and Privacy Commissioner confirmed the alleged breach situation was reported in September 2016 and the file closed in December of 2016.
A person known only as John Doe brought the case against Positive Living Society of British Columbia (PLS), the University of British Columbia (UBC) and Providence Health Care Society, membership in which is available to B.C. residents who are HIV positive.
The suit alleges a Positive Living employee sent an email to the members to solicit recipients’ participation in a study it was conducting together with the other defendants about the quality of the services the society was delivering to people with HIV/AIDS.
“Due to an apparent oversight, the email was openly delivered to the recipients, rather than blind copied, thereby revealing their email addresses to the other recipients without their consent,” BC Supreme Court Justice Warren Milman said in an administrative ruling.
The suit, started in August 2017, alleges negligence; breach of various statutory duties regarding the collection, use, retention and disclosure of personal information; breach of privacy and intrusion upon seclusion; breach of fiduciary duty; and breach of contract and warranty.
The defendants, in part say the case should not proceed because the sending of the email was inadvertent rather than wilful or malicious.
Both the complainant and PLS produced affidavits for the court.
For the plaintiff, a former PLS director identified only as P.W., was a volunteer on the study for which the email was sent out.
P.W. said he had warned the society about poor data management practices which could become a serious problem and said senior managers were careless with data. He said he had “observed ‘staff and management systematically avoid accountability for any of their data recording and management’ thereby creating ‘a substantial risk of a privacy breach.’” As well, he said there were problems with the IT department, that he advised the director of operations that IT improvements that could have prevented the incident, and that the society’s board unreasonably refused to “hold itself accountable” for the incident after it .
Another person providing an affidavit for the plaintiff, identified as T.H., said he had left the society after 14 years because he was “disturbed by their careless approach to confidentiality and privacy, particularly with respect to their email communications with members.”
The assertions in the plaintiff’s affidavits were contradicted by those presented by PLS – something the judge said might have to be dealt with in a trial.
The judge noted those providing affidavits for the society deny warnings were given prior to the incident.
“They say that the data management practices identified by P.W. had no bearing on how PLS communicated with its members and that the IT upgrades that P.W. was urging on PLS would not have prevented the Incident in any event. They deny P.W.’s account of how PLS reacted to the Incident.
Milman concluded virtually all of the plaintiff’s evidence of recklessness is referred to PLS with little supporting a finding of recklessness on the part of UBC or Providence.
Spokesman Adam Reibin said PLS could not comment as the case is before the courts, a statement reiterated by Providence’s Shaf Hussain and a UBC spokesperson.