Privacy breach protocol

• Notify all relevant staff of the breach, including your Chief Privacy Officer or PHIPA contact person, and determine who else from within your organization should be involved in addressing the breach.
• Develop and execute a plan designed to contain the breach and notify those affected.

• Determine if you are required to report the breach to the IPC. You are required to report breaches to the IPC under the circumstances set out in the PHIPA regulation; these circumstances are described in Reporting a Privacy Breach to the IPC: Guidelines for the Health Sector.
• If you are required to report the breach to the IPC, do so at the first reasonable opportunity, either online or by mail.

Identify the scope of the breach and take the necessary steps to contain it, including:

• Retrieve and secure any personal health information that has been disclosed.
• Ensure that no copies of the personal health information have been made or retained by the individual who was not authorized to receive the information. Their contact information should be obtained, in the event that follow-up is required.
• Determine whether the privacy breach would allow unauthorized access to any other personal health information (e.g. an electronic information system) and take necessary steps, such as changing passwords, identification numbers and/or temporarily shutting your system down.

Direct notification to affected individuals 

You must take the necessary steps to notify those individuals whose privacy was breached, including:

• Identify all affected individuals and notify them of the breach at the first reasonable opportunity. PHIPA does not specify the manner in which notification must be carried out. For example, notification can be by telephone or in writing or depending on the circumstances, a notation made in the individual’s file to be discussed at his/her next appointment. There are numerous factors that may need to be taken into consideration when deciding on the best form of notification, such as the sensitivity of the personal health information.
• Health information custodians should provide direct notification by telephone, letter, email or in person, to individuals impacted by a privacy breach. There are exceptional circumstances where custodians may consider using indirect notification to individuals affected by a breach.
• Notification to affected individuals should occur as soon as possible following the breach, even if using an indirect method. 
• When notifying individuals affected by a breach:
  • Provide details of the breach to affected individuals, including the extent of the breach and what personal health information was involved.
  • Advise all affected individuals of the steps that you are taking to address the breach, and that they are entitled to make a complaint to the IPC. If you have reported the breach to the IPC, advise them of this fact.
  • Provide contact information for someone within your organization who can provide additional information, assistance, and answer questions.

Note: If you are a custodian who is a researcher and have received personal health information for research purposes from another custodian, you must not notify an individual to whom the personal health information relates, unless you are informed that the individual has given consent to being contacted.

Indirect notification to affected individuals

If your organization is considering indirect notification, you should consult with the IPC. You should be prepared to explain why you believe indirect notice is reasonable in the circumstances and your plans for it. This includes the content of your proposed notice and your strategies for distribution.  

Indirect notice to individuals may be considered by your organization where one or more of these exceptional circumstances apply:

• The breach affects a significantly large number of individuals, making notifying the affected individuals directly impractical.  
• The risk of harm to affected individuals has reasonably been determined to be low.
• You are unable to determine the identities of affected parties despite taking reasonable steps to do so.  
• There are questions as to the reliability/accuracy of contact information.  
  • Note: Outdated contact information for a portion of the affected parties does not mean that all the affected parties should be notified indirectly. In cases involving a mix of outdated and current contact information, a hybrid approach to notification involving both direct and indirect elements may be appropriate.
• Direct notification would unreasonably and significantly interfere with the operations of your organization.  
  • Note: All breach notification processes will involve the expenditure of time and resources. It is only when the time and resources required to provide direct notice cause unreasonable and significant interference with your operations that indirect notice may be an option.
• Direct notification would be reasonably likely to be harmful or detrimental to the affected individuals.

Content of an indirect notice (also applies to direct notices)

After assessing the specific circumstances of the breach and determining in consultation with the IPC that indirect notice is a reasonable approach, the notice should:

• Be written in plain language.
• Provide enough information to enable someone reading the notice to easily understand how they may have been impacted by the breach.
• Describe the circumstances of the breach.
• Describe the cause of the breach, if known.
• Indicate the date or period when the breach occurred.
• Note the date when your institution became aware of the breach.
• Describe the personal information/personal health information that is impacted in as much detail as possible.  
• Describe how the personal information/personal health information was affected by the breach (for example accessed, encrypted, exfiltrated, posted online, etc.).  
• Describe the risk of harm to affected individuals, if known.
• Identify steps your institution has taken to contain the breach and reduce/mitigate the risk of harm to affected individuals.
• Identify additional steps individuals can take to further reduce/mitigate the risk of harm.  
• Inform affected individuals that they can file a complaint with the Information and Privacy Commissioner of Ontario (as required under PHIPA and CYFSA and as of July 1, 2025, FIPPA) and provide a link to the IPC’s website.  
• Provide contact information of an individual within the institution who can answer questions and provide additional information about the breach.
• State whether you have reported the matter to the IPC and other appropriate regulatory bodies, as applicable.  

Distribution of an indirect notice

The indirect notice must be distributed in a way that could reasonably be expected to reach the affected individuals.

Thought and care should be put into deciding what strategy will be most effective to reach affected individuals. Multiple methods of public notification are generally most effective and are considered a best practice.  

A multi-channel public notice strategy should include a combination of some, or all, of the following methods to bring the notice to the attention of the affected individuals:  

• A prominent notice on your organization’s website or a dedicated website containing details about the breach.  
  • If you are using your organization’s website to provide notice, ensure the notice or a link to the notice is displayed prominently on the main page of your organizations’ website and that it is clearly visible without the need for scrolling or searching.
  • If you are using a dedicated breach website to provide notice, you should place a link to the breach website on the main page of your organization’s website so it is clearly visible, and visitors can click through to access the breach website.
  • All digital notices should remain posted for a reasonable period that will allow affected parties to read the notice.  
• Ensure you take reasonable steps to bring the digital notice to the attention of affected parties. Affected parties may be unlikely to visit your website or breach notice unless specifically prompted to go there by media announcements, social media posts, or other means.  

Other public outreach activities to bring the notice to the attention of the affected individuals such as:

• Posting notices or posters in high traffic areas of your facility for a length of time that will allow affected parties to read the notice.  
• Placing notices in national or local newspapers.  
• Creating social media posts on relevant platforms.
• Purchasing radio and/or TV announcements and advertising targeted to affected individuals.
• Issuing news releases and community notices targeted to affected individuals.
• Hosting town halls and/or webinars to provide information.
• Any other case-specific public communication strategies that would be effective for reaching individuals affected by the breach.  

You will be expected to conduct an internal investigation, including:

• Ensure that the immediate requirements of containment and notification have been met.
• Review the circumstances surrounding the breach.
• Review the adequacy of your existing policies and procedures in protecting personal health information.
• Ensure all staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of PHIPA.

For more information, refer to our guidance document, Responding to a Health Privacy Breach: Guidelines for the Health Sector.