ARTICLE
11 November 2024

Cyberattacks And Data Breach: Reports

OH
Osler, Hoskin & Harcourt LLP

Contributor

Osler is a leading law firm with a singular focus – your business. Our collaborative “one firm” approach draws on the expertise of over 400 lawyers to provide responsive, proactive and practical legal solutions driven by your business needs. It’s law that works.
A customer of an alarm monitoring company, Brinks Home (Brinks), filed a complaint with the Office of the Privacy Commissioner of Canada...
Canada Privacy

PIPEDA Findings No. 2024-002, Re, Office of the Privacy Commissioner of Canada

Read the case details

Facts

A customer of an alarm monitoring company, Brinks Home (Brinks), filed a complaint with the Office of the Privacy Commissioner of Canada (OPC) after inadvertently viewing the personal information of other customers on Brinks' online portal. Shortly thereafter, Brinks changed the online portal settings to prevent the information from being displayed. OPC investigated to determine whether Brinks had adequate security safeguards in place, and whether Brinks complied with breach notification requirements under PIPEDA.

Decision

OPC found that Brinks had failed to adequately protect customers' personal information from unauthorized access, but had subsequently implemented technical and procedural mechanisms to prevent similar incidents from occurring in the future. And, ultimately, Brinks sold all of its individual customer accounts. For these reasons, OPC found the safeguarding aspect of the complaint was well-founded and resolved. In determining whether Brinks complied with its breach notification requirements, OPC found that the personal information revealed could be considered sensitive, but the probability of misuse was low. The OPC concluded that the breach did not present a real risk of significant harm, and therefore did not require Brinks to notify the affected individuals or report the breach to OPC.

Key Takeaway

This case highlights the importance of properly safeguarding personal information and the importance of taking active measures to mitigate possible harm if breaches of such information do occur.

A Medical Imaging Clinic, Re, Ontario Information and Privacy Commissioner

Read the case details

Facts

A medical imaging clinic notified the Information and Privacy Commissioner of Ontario (IPC) that it was the victim of a ransomware attack. The clinic paid the ransom in exchange for an encryption key that allowed the clinic to recover all affected files. IPC investigated to determine whether the clinic took reasonable steps to protect personal health information, and whether a review was warranted under the Personal Health Information Protection Act.

Decision

IPC found that the clinic had taken sufficient efforts to determine the scope of the breach, which included patient and employee information as well as billing codes. IPC also found that the clinic had provided the appropriate notice, by posting a physical notice at the clinic's entrance and information desk, as well as providing a "pop up" notice on its website. Further, the clinic sent notification letters to over 14,000 referring physicians and to the clinic's employees and healthcare partners. The clinic also took action in order to minimize the risks of such a breach reoccurring in the future. Remedial measures taken by the clinic included revising their password policy, creating a policy for identification and removal of dormant user accounts, and changing their approach to backups to ensure one is always offline and would remain uncompromised in the event of another breach. Based on these findings, IPC determined that a review was not warranted.

Key Takeaway

This case demonstrates that reviews by IPC may be avoided or minimized if victims of ransomware attacks provide proper notice and take sufficient remedial measures to minimize future risks.

Vankoughtnett, Re, Saskatchewan Information and Privacy Commissioner

Read the case details

Facts

Four dentists operated a general dentistry clinic as sole proprietors engaged in a cost-sharing agreement. One of the four dentists left the cost-sharing agreement and took copies of the clinic's entire patient database with him. The remaining dentists contacted the Saskatchewan Information and Privacy Commissioner (IPC) with concerns. The IPC found it had jurisdiction to investigate the matter, and considered whether privacy breaches occurred, and whether the remaining dentists had adequately responded to the privacy breaches.

Decision

The IPC concluded that the departing dentist's collection of the entire patient database was not authorized by, and constituted a privacy breach under, The Health Information Protection Act (HIPA). The IPC found that the root cause of the privacy breach was a lack of technical safeguards used to protect personal information, as the departing dentist should not have been able to access the remaining dentists' patient information in the first place. For these reasons, the IPC found that the remaining dentists had failed to fulfill their duty to protect patients' personal health information under HIPA. The IPC also found that the remaining dentists had taken reasonable steps to contain this breach by reporting the breach to IPC and ensuring the departing dentist could not further access the database, but they had failed to take steps to notify the affected individuals. The updated Privacy Policy used by the dentists remaining in the cost-sharing agreement was also held to be inadequate, as it conflated the requirements of the PIPEDA with the requirements of HIPA.

Key Takeaway

This case highlights the extent to which regulators expect medical professionals to take care to ensure that they are adequately protecting patients' personal health information and preventing unauthorized access.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Privacy Law and Privacy Regulations

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More