PIPEDA Findings No. 2024-002, Re, Office of the Privacy Commissioner of Canada
Facts
A customer of an alarm monitoring company, Brinks Home (Brinks), filed a complaint with the Office of the Privacy Commissioner of Canada (OPC) after inadvertently viewing the personal information of other customers on Brinks' online portal. Shortly thereafter, Brinks changed the online portal settings to prevent the information from being displayed. OPC investigated to determine whether Brinks had adequate security safeguards in place, and whether Brinks complied with breach notification requirements under PIPEDA.
Decision
OPC found that Brinks had failed to adequately protect customers' personal information from unauthorized access, but had subsequently implemented technical and procedural mechanisms to prevent similar incidents from occurring in the future. And, ultimately, Brinks sold all of its individual customer accounts. For these reasons, OPC found the safeguarding aspect of the complaint was well-founded and resolved. In determining whether Brinks complied with its breach notification requirements, OPC found that the personal information revealed could be considered sensitive, but the probability of misuse was low. The OPC concluded that the breach did not present a real risk of significant harm, and therefore did not require Brinks to notify the affected individuals or report the breach to OPC.
Key Takeaway
This case highlights the importance of properly safeguarding personal information and the importance of taking active measures to mitigate possible harm if breaches of such information do occur.
A Medical Imaging Clinic, Re, Ontario Information and Privacy Commissioner
Facts
A medical imaging clinic notified the Information and Privacy Commissioner of Ontario (IPC) that it was the victim of a ransomware attack. The clinic paid the ransom in exchange for an encryption key that allowed the clinic to recover all affected files. IPC investigated to determine whether the clinic took reasonable steps to protect personal health information, and whether a review was warranted under the Personal Health Information Protection Act.
Decision
IPC found that the clinic had taken sufficient efforts to determine the scope of the breach, which included patient and employee information as well as billing codes. IPC also found that the clinic had provided the appropriate notice, by posting a physical notice at the clinic's entrance and information desk, as well as providing a "pop up" notice on its website. Further, the clinic sent notification letters to over 14,000 referring physicians and to the clinic's employees and healthcare partners. The clinic also took action in order to minimize the risks of such a breach reoccurring in the future. Remedial measures taken by the clinic included revising their password policy, creating a policy for identification and removal of dormant user accounts, and changing their approach to backups to ensure one is always offline and would remain uncompromised in the event of another breach. Based on these findings, IPC determined that a review was not warranted.
Key Takeaway
This case demonstrates that reviews by IPC may be avoided or minimized if victims of ransomware attacks provide proper notice and take sufficient remedial measures to minimize future risks.
Vankoughtnett, Re, Saskatchewan Information and Privacy Commissioner
Facts
Four dentists operated a general dentistry clinic as sole proprietors engaged in a cost-sharing agreement. One of the four dentists left the cost-sharing agreement and took copies of the clinic's entire patient database with him. The remaining dentists contacted the Saskatchewan Information and Privacy Commissioner (IPC) with concerns. The IPC found it had jurisdiction to investigate the matter, and considered whether privacy breaches occurred, and whether the remaining dentists had adequately responded to the privacy breaches.
Decision
The IPC concluded that the departing dentist's collection of the entire patient database was not authorized by, and constituted a privacy breach under, The Health Information Protection Act (HIPA). The IPC found that the root cause of the privacy breach was a lack of technical safeguards used to protect personal information, as the departing dentist should not have been able to access the remaining dentists' patient information in the first place. For these reasons, the IPC found that the remaining dentists had failed to fulfill their duty to protect patients' personal health information under HIPA. The IPC also found that the remaining dentists had taken reasonable steps to contain this breach by reporting the breach to IPC and ensuring the departing dentist could not further access the database, but they had failed to take steps to notify the affected individuals. The updated Privacy Policy used by the dentists remaining in the cost-sharing agreement was also held to be inadequate, as it conflated the requirements of the PIPEDA with the requirements of HIPA.
Key Takeaway
This case highlights the extent to which regulators expect medical professionals to take care to ensure that they are adequately protecting patients' personal health information and preventing unauthorized access.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.