A new report from the Information and Privacy Commissioner of Ontario’s (IPC) provides the first substantial insights into Ontario’s new mandatory privacy breach reporting system. The IPC’s 2018 Annual Report (published on June 27, 2019) provides a comprehensive survey of privacy breaches across Ontario in 2018 and the effect Ontario’s move from a voluntary to mandatory breach reporting had on the number of breaches reported to the IPC.

In this article, we briefly review the legislative requirements for reporting a privacy breach to the IPC and then look at key insights contained in the 2018 Annual Report.

When is a Report to the IPC Required?

Health information custodians (Custodians) in Ontario have been mandated to report certain privacy breaches to the IPC since October 1, 2017. A Custodian is required to notify the IPC of a privacy breach when it has reasonable grounds to believe that personal health information in its custody or control "was used or disclosed without authority by a person who knew or ought to have known" that he or she did not have permission to do so. The circumstances are described in subsection 6.3(1)(1.) of the regulations to The Personal Health Information Protection Act, 2004 (PHIPA). Prior to the 2017 change, Custodians could choose when or when not to report such breaches to the IPC.

Patients, on the other hand, must be notified in all instances where their personal health information is stolen, lost, used without authority or disclosed without authority. Beginning on January 1, 2018, Custodians are required to maintain statistics with respect to these notifications and submit them on annual basis to the IPC.

The duty to report breaches to the IPC is narrower than the duty to notify patients as it excludes situations such as a single misdirected fax. The goal of the legislative changes is to require reporting to the IPC in which there is a risk of a continuing privacy breach.

Mandatory Reporting to the IPC in 2018

Since October 2017, the number of privacy breaches reported to the IPC has increased significantly. In 2018, Ontario Custodians reported 506 privacy breaches to the IPC, which were categorized as follows:

- Snooping

120

- Cyberattack

15

- Other

371

In 2017, which included three months of mandatory reporting, 322 privacy breaches were reported to the IPC. In contrast, only 186 privacy breaches were reported to the IPC in 2016.

Privacy Breaches Across Ontario in 2018

Over 800 Custodians provided privacy breach statistics for personal health information which was lost, stolen, used without authority, or disclosed without authority for 2018. In total, Custodians reported that they experienced 11,278 privacy breaches. The Annual Report does not identify the number of affected individuals nor describe their significance. The privacy breaches were divided into the following categories:

- Stolen

78

- Lost

343

- Unauthorized Use

604

- Unauthorized Disclosure

10,253

Some further detail about these categories is included in the Annual Report. For example, 16 of the 78 instances of stolen personal health information were due to cyberattacks (including two ransomware attacks), and 35 were cases of theft by a stranger. On the other hand, there were only three instances where an unencrypted laptop or USB key was stolen. Most of the lost personal health information (280 of 343) involved the loss of paper records.

The largest category of privacy breaches, however, was unauthorized disclosure. Misdirected faxes accounted for 6,381 of the breaches while misdirected emails accounted for only 434. This difference suggests that the use of email to disclose personal health information remains low.

Conclusion

The Annual Report also included commentary on instances of snooping in which the IPC acknowledged that the number of snooping incidents reported by Custodians will likely increase in the short-term as Custodians implement more sophisticated means of detection, such as the use of artificial intelligence, to monitor the accesses made to electronic medical records. Once this technology improves, it is possible that the IPC will expect Custodians using electronic medical records will use this technology to audit accesses as a best practice.

This is the first year that privacy breach statistics are available for Ontario’s health sector. As more data is collected, it will be possible to identify trends and/or persistent sources of privacy breaches. We expect that while the IPC’s short-term focus will be gathering data, these statistics will shape the IPC’s strategic priorities in the future.

Lastly, we note that the 2018 Annual Report did not include the individual privacy breach statistics for Custodians across Ontario. The IPC, however, may choose to publish these statistics in future years if it is not satisfied with Custodian’s efforts to comply with PHIPA.