Two health service provider organizations, one a health information custodian (the Custodian), and the other an organization contracted to deliver health care services on behalf of the Custodian (the Agent), both reported the same privacy breach under the Personal Health Information Protection Act, 2004 (the Act) to the Information and Privacy Commissioner of Ontario (IPC). The breach involved a phishing email attack that resulted in the unauthorized use of personal health information relating to the Custodian’s patients. However, in light of the steps taken by the Custodian and the Agent to address the breach, as well as the Agent’s commitment to providing the IPC with an update before or by March 31, 2024 to confirm that the outstanding recommendations arising from the independent cybersecurity risk assessment that it undertook have been implemented, no formal review of the two complaints will be conducted under Part VI of the Act.
PHIPA DECISION 205
Collection
Health Information and Privacy
Date
File Numbers
HR20-00449
HR21-00051
Adjudicators
John Gayle
Decision Type
Decision
Applicable Legislation
PHIPA - 2
PHIPA - 3(1)
PHIPA - 3(1)3
PHIPA - 4(1)
PHIPA - 12(1)
PHIPA - 12(2)