Annual Reporting of Privacy Breach Statistics Due February 28

Health Information Custodians are required to annually report to the Information and Privacy Commissioner of Ontario on all privacy breaches during the previous year on or before March 1st. Reports are to be in this form, submitted electronically, and are to include information about Personal health information in the custodian’s custody or control that was: stolen, lost, used without authority or disclosed without authority. The information required to be reported includes the following:

• For PHI that was stolen, include the total number of incidents, and the number of incidents in which PHI was stolen by an internal party (i.e. as an employee), a stranger, through a ransomware attack or another type of cyberattack, whether unencrypted portable electronic equipment (such as USB keys or laptops) was stolen, whether paper records were stolen, and the number of individuals affected.

• For PHI that was lost include the total number of incidents, and the number of incidents in which PHI was lost, through a ransomware attack or another type of cyberattack, whether unencrypted portable electronic equipment (such as USB keys or laptops) was lost, whether paper records were lost, and the number of individuals affected.

• For PHI that was used without authority, include the total number of incidents, and the number of incidents in which PHI was used without authority, through electronic systems or through paper records and the number of individuals affected

• For PHI that was disclosed without authority, include the total number of incidents, and the number of incidents in which PHI was disclosed without authority through misdirected faxes and through misdirected emails and the number of individuals affected

For questions about reporting obligations or how to report particular incidents, please contact us.