Annual Reporting of Privacy Breach Statistics to the Commissioner

Starting in March 2019 health information custodians will be required to provide the Commissioner with an annual report on privacy breaches occurring during the previous calendar year.

This requirement is found in section 6.4 of Ontario Regulation 329/04 made pursuant to the Personal Health Information Protection Act, 2004 Act, as follows:

(1)  On or before March 1 in each year starting in 2019, a health information custodian shall provide the Commissioner with a report setting out the number of times in the previous calendar year that each of the following occurred:

  1. Personal health information in the custodian’s custody or control was stolen.
  2. Personal health information in the custodian’s custody or control was lost.
  3. Personal health information in the custodian’s custody or control was used without authority.
  4. Personal health information in the custodian’s custody or control was disclosed without authority.

(2)  The report shall be transmitted to the Commissioner by the electronic means and format determined by the Commissioner. O. Reg. 224/17, s. 1.

In order for custodians to prepare for this reporting requirement, they must start tracking their privacy breach statistics as of January 1, 2018.  To assist in this, the following is the information the IPC will require in the annual report.  Custodians should maintain this information to ensure they are ready to report on the 2018 calendar year in early 2019:

1. Stolen personal health information

  • Total number of incidents where personal health information was stolen
  • Of the total in this category, the number of incidents where:
    • theft was by an internal party (such as an employee, affiliated health practitioner or electronic service provider)
    • theft was by a stranger
    • theft was the result of a ransomware attack
    • where theft was the result of another type of cyberattack
    • where unencrypted portable electronic equipment (such as USB keys or laptops) was stolen
    • where paper records were stolen
  • Of the total in this category, the number of incidents where:
    • one individual was affected
    • 2 to 10 individuals were affected
    • 11 to 50 individuals were affected
    • 51 to 100 individuals were affected
    • over 100 individuals were affected

Lost Personal Health Information

  • Total number of incidents where personal health information was lost
  • Of the total in this category, the number of incidents where:
    • loss was a result of a ransomware attack
    • loss was the result of another type of cyberattack
    • unencrypted portable electronic equipment (such as USB keys or laptops) was lost
    • paper records were lost
  • Of the total in this category, the number of incidents where:
    • one individual was affected
    • 2 to 10 individuals were affected
    • 11 to 50 individuals were affected
    • 51 to 100 individuals were affected
    • over 100 individuals were affected

Used without Authority

  • Total number of incidents where personal health information was used (e.g. viewed, handled) without authority
  • Of the total in this category, the number of incidents where:
    • unauthorized use was through electronic systems
    • unauthorized use was through paper records
  • Of the total in this category, the number of incidents where:
    • Number of incidents in which one individual was affected
    • Number of incidents in which 2 to 10 individuals were affected
    • Number of incidents in which 11 to 50 individuals were affected
    • Number of incidents in which 51 to 100 individuals were affected
    • Number of incidents in which over 100 individuals were affected

Disclosed without Authority

  • Total number of incidents where personal health information was disclosed without authority
  • Of the total in this category, the number of incidents where:
    • unauthorized disclosure was through misdirected faxes
    • unauthorized disclosure was through misdirected emails
  • Of the total in this category, the number of incidents where:
    • one individual was affected
    • 2 to 10 individuals were affected
    • 11 to 50 individuals were affected
    • 51 to 100 individuals were affected
    • over 100 individuals were affected