Privacy breaches are going up in Alberta – Protect your practice

The Office of Information and Privacy Commissioner (OIPC) revealed that the number of privacy breach reports in Alberta has gone up almost 800% since mandatory breach reporting came in last year. As the government and your patients get more and more serious about privacy, you need to be aware of how the breaches hitting the news happen, so you can take the right steps to protect your practice from being reported in privacy breach news.

In recent months, news outlets across Canada have reported on significant breaches in Alberta.

Gmail isn’t safe for patient information: 

Email is a convenient way to communicate, and patients are looking for clinics that offer the kind of convenience and access they enjoy in all other aspects of their lives. In August 2019, a physician in Calgary was investigated because he had used Gmail to communicate information pertaining to 7,000 patients and his account was hacked. The hack granted unauthorized access to the hacker and enabled them to impersonate the physician when reaching out to patients. 

This breach investigation has prompted notice from AHS to physicians to cease using traditional email and ensure all digital communications outside of AHS be conducted using a secure system. Brightsquid Secure-Mailis such a system.

Breaches result in fines, loss of opportunity, and more:

A case involving a former AHS billing clerk in Red Deer was in the news this summer when the clerk pled guilty to illegally accessing the health records of 52 Albertans and was fined $5,000 and ordered not to access patient information for one year. This type of story is not without precedent, it’s the second such conviction in 2019. There are dozens of similar cases in the OIPC Breach Notification Decisions and Notification Reports available online

Ransomware is gaining on healthcare in Canada:

A CBC News article from October 2019, reveals that the number of ransomware attacks targeting Canadians is on the rise. 82% of Canadian companies reported an increase in the number of attacks they’re seeing. Earlier in the year, three Ontario hospitals were infected, and an attacker that hit a dental clinic demanded over $100,000 to release patient files.

Ransomware infections that lock up patient files can be detrimental to any clinic or organization as they likely require notification to all of your patients (and the OIPC) that there has been unauthorized access to their private information.

Training is a critical safeguard:

The common thread in all of these cases is a need for better training. 

  • Had the physician using Gmail been made aware of the risks of using traditional email and the secure compliant options available, there may have never been an issue. 
  • Training staff on the regulations surrounding access to patient information and the repercussions of improper access likely would have protected patients in the Red Deer case from the breach of their private information.
  • Ransomware is a risk everyone in your clinic has to be aware of. Cybersecurity training that covers ransomware identification (before it’s clicked) is important for the security of your clinic and the privacy of your patients.

If you have any questions about how you can secure your clinic against these threats, contact today.