In a troubling development for Canadian healthcare privacy, private medical clinics across the country have been quietly selling patients’ personal health information to third-party companies, according to a comprehensive new study published today in the Canadian Medical Association Journal.
The investigation, led by researchers at the University of Toronto’s Faculty of Medicine, found that nearly 40% of private healthcare facilities engage in some form of data monetization without explicit patient consent. This practice raises profound questions about the security of Canadians’ most sensitive information at a time when digital health records have become the norm.
“What we’re seeing is an alarming gap between what patients believe happens to their information and what actually occurs behind closed doors,” explains Dr. Samantha Morrison, lead author of the study and privacy expert. “Most Canadians would be shocked to learn their medical histories, test results, and even genetic information may be packaged and sold to data brokers, pharmaceutical companies, and marketing firms.”
The investigation revealed that clinics in major urban centers including Toronto, Vancouver, and Montreal are the most prolific data sellers, with some facilities earning upwards of $200,000 annually from these arrangements. While the data is supposedly “anonymized,” privacy experts have repeatedly demonstrated that de-identified health information can often be re-identified when combined with other publicly available data sets.
Health Canada has responded with concern but limited action. In a statement to CO24 News, Health Minister Anita Anand acknowledged the issue, stating: “Patient privacy is paramount in our healthcare system. We are reviewing the findings of this study and consulting with provincial healthcare authorities to determine appropriate regulatory responses.”
The practice exists in a regulatory gray area. While the Personal Information Protection and Electronic Documents Act (PIPEDA) governs commercial use of personal information, healthcare falls primarily under provincial jurisdiction, creating a patchwork of regulations across the country. Several Canadian provinces have stronger health privacy laws, but enforcement remains inconsistent.
Dr. Michael Geist, a law professor specializing in digital privacy at the University of Ottawa, notes that “this represents a fundamental breakdown in the trust relationship between patients and healthcare providers. Patients share their most intimate details with medical professionals expecting confidentiality, not commodification.”
The Canadian Medical Association has called for immediate federal intervention, recommending standardized, robust privacy protections that would explicitly prohibit the sale of patient data without informed consent. “The commercialization of patient information without transparent consent processes undermines the foundation of patient-centered care,” said CMA President Dr. Katharine Smart.
For patients concerned about their privacy, experts recommend directly asking clinics about their data policies and requesting written confirmation that personal health information will not be shared with third parties for commercial purposes. Some private facilities offer opt-out provisions, though these are rarely publicized to patients.
As digital healthcare continues to evolve, with virtual care platforms and electronic health records becoming increasingly commonplace, the tension between innovation and privacy protection intensifies. The question now confronting Canadians and policymakers alike is stark: in our rush to modernize healthcare, have we sacrificed our fundamental right to medical privacy?
