Annual Reporting of Privacy Breach Statistics Due February 28

Health Information Custodians are required to annually report to the Information and Privacy Commissioner of Ontario on all privacy breaches during the previous year on or before March 1st. Reports are to be in this form https://statistics.ipc.on.ca/web/site/login, submitted electronically, and are to include information about Personal health information in the custodian’s custody or control that was: stolen, lost, used without authority or disclosed without authority. The information required to be reported includes the following:

  • For PHI that was stolen, include the total number of incidents, and the number of incidents in which PHI was stolen by an  internal party (i.e. as an employee), a stranger, through a ransomware attack or another type of cyberattack, whether unencrypted portable electronic equipment (such as USB keys or laptops) was stolen, whether paper records were stolen, and the number of individuals affected.
  • For PHI that  was lost include the total number of incidents, and the number of incidents in which PHI was lost, through a ransomware attack or another type of cyberattack, whether unencrypted portable electronic equipment (such as USB keys or laptops) was lost, whether paper records were lost, and the number of individuals affected.
  • For PHI that  was used without authority, include the total number of incidents, and the number of incidents in which PHI was used without authority,  through electronic systems or through paper records and the number of individuals affected
  • For PHI that  was disclosed without authority, include the total number of incidents, and the number of incidents in which PHI was disclosed without authority through misdirected faxes and through misdirected emails and the number of individuals affected
For questions about reporting obligations or how to report particular incidents, please contact us 

Posted in:

Back to Top