Canadian Underwriter

How the court bolstered an insurer’s exclusion for privacy breach

July 8, 2022   by David Gambrill

Close up of woman hands, arranging patient files

Print this page Share

Acting recklessly in breaching the confidential medical files of patients effectively falls within a hospital insurer’s commercial policy exclusion for committing an ‘intentional act,’ Ontario’s top court has ruled.

The Ontario Court of Appeal found a hospital insurer, the Healthcare Insurance Reciprocal of Canada, does not have a duty to defend a legal action brought against a former hospital employee who allegedly accessed thousands of patients’ medical records over a decade to help feed a personal drug addiction.

The court has not yet heard the merits of the main case. But its decision on whether the insurer has a duty to defend clarifies a relatively new privacy breach tort of “intrusion upon seclusion.”

The duty to defend decision shows Catharina Demme is a former registered nurse who worked at the Brampton Civic Hospital until December 2016. The hospital terminated Demme’s employment at that time after discovering she had misused an automatic medication dispensing unit (ADU) over 10 years, from 2006 until 2016, to obtain approximately 24,000 Percocet tablets.

The court will ultimately determine whether Demme used patient records to wrongfully access the ADU and obtain the Percocet. The hospital notified 11,358 patients whose medical records were affected.

Multiple legal actions have been launched.

In Demme v. Healthcare Insurance Reciprocal of Canada, the hospital’s insurer noted hospital employees are covered for liability under the hospital’s insurance policy for any ‘bodily injury’ caused to patients that may ensue from the hospital employee’s actions. The definition of bodily injury in the policy includes coverage for “invasion or violation of the right of privacy, wrongful eviction or wrongful entry.”

However, the insurer denied a duty to defend Demme under the policy because it claimed her actions met the insurance policy’s exclusions for ‘intentional’ and ‘criminal’ acts.

Demme sued the hospital’s insurer, saying it had a duty to defend. But the court basically found Demme’s alleged actions were ‘reckless’ and therefore fit within the insurance policy definition of an ‘intentional act.’

“One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person,” the Ontario Court of Appeal ruled. “The key features of this cause of action are, first, that the defendant’s conduct must be intentional, within which I would include reckless…”

The court goes on to address Demme’s reference to the Ontario Court for Appeal’s 2012 decision in Jones v. Tsige, in which the court first recognized a new privacy law tort for “intrusion upon seclusion.”

“Although the Jones decision does not contain a definition of ‘reckless,’” the court acknowledged in Demme, “it places reckless conduct side-by-side with intentional or deliberate conduct….One cannot tease from the discussion in Jones any support for the proposition advanced by Ms. Demme that Jones’ inclusion of a reckless act within the tort of intrusion upon seclusion could involve unintentional conduct.”

Demme told the court her ‘intentional act’ was in fact to access the Percocet to feed an addiction. The intent was not to cause bodily harm to the people whose medical records she accessed to obtain the drug. But the court did not agree with her distinction that you could be ‘reckless’ without being ‘intentional.’

“Stepping back from the consideration of the definitional elements of the tort and the concept of recklessness, Ms. Demme’s duty to defend application proceeds against the background of allegations that she unlawfully accessed patient records thousands of times over the course of a decade,” the court ruled. “For Ms. Demme to contend that in the face of such claims there exists a ‘mere possibility’ that her alleged conduct could be characterized as causing injury that was neither expected nor intended from her standpoint simply lacks any air of reality.”

The court went on to clarify that the expected and intended harm was done to the hospital patients whose records she allegedly accessed to get the Percocet.

“The nature of the [intrusion upon seclusion] tort is such that the intention to access the records amounts to an intention to cause injury,” the court ruled. “That is because under the tort the injury caused is the patients’ loss of control over their private information.”

Demme’s ‘reckless’ actions to access the patient’s records would thus fall within the insurance policy’s exclusion for ‘intentional’ acts, the court added.


Photo courtesy of