Annual Reporting of Privacy Breach Statistics to the Commissioner

Health information custodians1 are required to provide the Commissioner with an annual report on privacy breaches occurring during the previous calendar year.

This requirement is found in section 6.4 of Ontario Regulation 329/04 made pursuant to the Personal Health Information Protection Act, 2004 Act, as follows:

(1)  On or before March 1 in each year starting in 2019, a health information custodian shall provide the Commissioner with a report setting out the number of times in the previous calendar year that each of the following occurred:

  1. Personal health information in the custodian’s custody or control was stolen.
  2. Personal health information in the custodian’s custody or control was lost.
  3. Personal health information in the custodian’s custody or control was used without authority.
  4. Personal health information in the custodian’s custody or control was disclosed without authority.
  5. Personal health information was collected by the custodian by means of the electronic health record without authority. O. Reg. 224/17, s. 1; O. Reg. 534/20, s. 3 (1).

(2)  The report shall be transmitted to the Commissioner by the electronic means and format determined by the Commissioner. O. Reg. 224/17, s. 1.

(3) A health information custodian that disclosed the information collected by means of the electronic health record without authority is not required to include this disclosure in its annual report. O. Reg. 534/20, s. 3 (2).
The following is the information the IPC requires in the annual report.  Custodians should maintain this information over the course of the calendar year to ensure they are ready to report on the calendar year by March 1 of the following year:

1. Stolen personal health information

  • Total number of incidents where personal health information was stolen
  • Of the total in this category, the number of incidents where:
    • theft was by an internal party (such as an employee, affiliated health practitioner or electronic service provider)
    • theft was by a stranger
    • theft was the result of a ransomware attack
    • where theft was the result of another type of cyberattack
    • where unencrypted portable electronic equipment (such as USB keys or laptops) was stolen
    • where paper records were stolen
  • Of the total in this category, the number of incidents where:
    • one individual was affected
    • 2 to 10 individuals were affected
    • 11 to 50 individuals were affected
    • 51 to 100 individuals were affected
    • over 100 individuals were affected

Lost Personal Health Information

  • Total number of incidents where personal health information was lost
  • Of the total in this category, the number of incidents where:
    • loss was a result of a ransomware attack
    • loss was the result of another type of cyberattack
    • unencrypted portable electronic equipment (such as USB keys or laptops) was lost
    • paper records were lost
  • Of the total in this category, the number of incidents where:
    • one individual was affected
    • 2 to 10 individuals were affected
    • 11 to 50 individuals were affected
    • 51 to 100 individuals were affected
    • over 100 individuals were affected

Used without Authority

  • Total number of incidents where personal health information was used (e.g. viewed, handled) without authority
  • Of the total in this category, the number of incidents where:
    • unauthorized use was through electronic systems
    • unauthorized use was through paper records
  • Of the total in this category, the number of incidents where:
    • one individual was affected
    • 2 to 10 individuals were affected
    • 11 to 50 individuals were affected
    • 51 to 100 individuals were affected
    • over 100 individuals were affected

Disclosed without Authority

  • Total number of incidents where personal health information was disclosed without authority
  • Of the total in this category, the number of incidents where:
    • unauthorized disclosure was through misdirected faxes
    • unauthorized disclosure was through misdirected emails
  • Of the total in this category, the number of incidents where:
    • one individual was affected
    • 2 to 10 individuals were affected
    • 11 to 50 individuals were affected
    • 51 to 100 individuals were affected
    • over 100 individuals were affected

Collected by the Custodian by Means of the EHR without Authority

  • Total number of incidents where personal health information was collected by the custodian by means of the electronic health record (EHR) without authority
  • Of the total in this category, the number of incidents where:
    • one individual was affected
    • 2 to 10 individuals were affected
    • 11 to 50 individuals were affected
    • 51 to 100 individuals were affected
    • over 100 individuals were affected

Notes: Do not count each incident more than once.  If one incident includes more than one of the above categories, choose the category that it best fits.  For example, if an employee accessed personal health information without authority, and then disclosed the information, count that incident as either a use or a disclosure, but not both.
In this annual statistics report, you must include all thefts, losses, unauthorized uses or disclosures, or unauthorized collections by means of the EHR, even if you were not required to report them to the IPC under section 6.3 or section 18.32 of the Regulation.

Health privacy breach statistics are collected through the IPC’s Online Statistics Submission Website.

1 Subsection 18.10 (5) of Ontario Regulation 329/04 requires a coroner to whom the prescribed organization provides personal health information under subsection 55.9.1 (1) of PHIPA to, in respect of that information, comply with section 6.4 of the Regulation, with any necessary modification, as if the coroner were a health information custodian.
2 Or, for coroners, clause 18.10(4)(b).

This post is also available in: French