Privacy Breach Report Form

For use by health information custodians reporting a theft, loss or unauthorized use or disclosure of personal health information (a privacy breach) to the Information and Privacy Commissioner of Ontario (the IPC) as required under section 12(3) of the Personal Health Information Protection Act, 2004 and Ontario Regulation 329/04 made pursuant to that Act.

Important Note: Do not include any personal health information with this form.

The IPC recognizes that the investigation, containment, and remediation of this privacy breach may not be complete at the time this form is submitted. Please provide as much of the requested information as is presently known.

The IPC may request additional information after reviewing this form.


Please describe the circumstances of the privacy breach, including

  • What happened?
  • Describe how personal health information came to be stolen or lost or used or disclosed without authority?
  • Date (or date range) of theft(s), loss(es) or unauthorized use(s) or disclosure(s) of personal health information?
  • Date privacy breach was discovered by the reporting custodian?
  • How was this privacy breach discovered by the reporting custodian?
  • How many agents of the reporting custodian were responsible, in whole or in part, for causing this privacy breach? Please explain.
  • In addition to the reporting custodian, how many other health information custodians were involved in this privacy breach? Please explain.
  • Describe the nature of the personal health information that was stolen or lost or used or disclosed without authority?
  • The number of individuals whose personal health information was stolen or lost or used or disclosed without authority?


Please describe the steps that have been taken by, or at the direction of, the reporting custodian to contain the privacy breach, the date that such steps were taken, and the outcome of these steps (including whether these steps were successful in containing the privacy breach).


Were the individuals whose personal health information was stolen or lost or used or disclosed without authority notified of this privacy breach?

  • On what date was notification provided? (Input field for date)
  • If not, why not??
  • By what means was the notice communicated (mail, in person, etc.)?
  • Did the notice include:
    A description of the circumstances of the privacy breach?The nature and extent of the personal health information at issue?The steps that have been taken and/or will be taken to contain and remediate the privacy breach?The contact information of the person within your organization to contact for questions about the privacy breach?That the IPC has been notified of the privacy breach?That the individual is entitled to make a complaint to the IPC and information regarding how to make such a complaint?

  • What steps have you taken to investigate this privacy breach?
  • What steps remain to be taken to investigate this privacy breach?
  • What steps have you taken to remediate and prevent a future privacy breach?
  • What steps remain to be taken to remediate and prevent a future privacy breach?



captcha
Type in the code above (required)



Registrar
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Email: reportabreach@ipc.on.ca
FAX: 416-325-9188