1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

11/25/2019

0 Comments

Healthcare Sector Breach Reports Rise After Mandatory Reporting Implementation

 
healthcare sector breach reports canada

Healthcare Sector Breach Reports Rise After Mandatory Reporting Implementation

The Office of the Information and Privacy Commissioner of Alberta recently released an annual report, covering the period of April 1, 2018 to March 31, 2019, showing a 407% increase in healthcare sector data breaches. The spike of healthcare sector data breach reports was similarly seen in Ontario.

The period covered by the annual report includes only seven months of mandatory breach reporting in the healthcare sector in Alberta. Alberta’s Health Information Act took effect on August 31, 2018, mandating the more than 54,900 health information custodians in the province, including Alberta Health, Alberta Health Services, Covenant Health, nursing homes, physicians, registered nurses, pharmacists, optometrists, opticians, chiropractors, podiatrists, midwives, dentists, denturists and dental hygienists to notify an individual affected by a privacy breach as well as notify the Information and Privacy Commissioner of Alberta and the Minister of Health.

The Alberta law also provides penalty provisions in case the health information custodian fails to report a breach or fails to take reasonable steps in maintaining safeguards to protect health information.

The Office of the Information and Privacy Commissioner of Alberta reported that a total of 674 breaches were reported under Alberta’s Health Information Act during the period of April 1, 2018 to March 31, 2019, representing a 407% increase compared to the reported average of 130 healthcare sector data breaches for the last few years.

In the report written by Jill Clayton, Information and Privacy Commissioner of Alberta, many of the healthcare sector data breaches are relatively easy to address, requiring only the health information custodians to notify the affected individuals and to take preventive steps to prevent similar events from re-occurring in the future. A significant number of these cases, Clayton said, are much more serious, involving law violation and affecting hundreds to thousands of Albertans. A significant number of these cases, Clayton said, often becomes offense investigations and can result in significant court-imposed fines for offending parties.

The Information and Privacy Commissioner of Alberta said that active offense investigations have risen from 5-6 at any one time to over 20 as of September 30, 2019, with nearly 70 healthcare sector data breaches flagged as potential offenses. Since Alberta’s Health Information Act took effect on August 31, 2018, the Commissioner said there have been 10 convictions for knowingly accessing health information under the said Alberta law.

The Commissioner also reported that since the Health Information Act took effect, more snooping breaches – unauthorized access to health information by authorized users of health information systems – have been reported. “Cyberattacks were also reported more frequently, which is a concern that will need to be monitored,” the Information and Privacy Commissioner of Alberta said.

Healthcare Sector Data Breach Reports in Ontario

The spike of healthcare sector data breach reports was similarly seen in Ontario. In late 2017 Ontario’s Personal Health Information Protection Act took effect, requiring health information custodians, including hospitals, pharmacies, doctors’ offices, and dental clinics to report health privacy breaches to the Information and Privacy Commissioner of Ontario.

In the period covering the first full year of the mandatory healthcare sector breach reporting, from January 1 to December 31, 2018, the Information and Privacy Commissioner of Ontario reported that self-reported breaches in the healthcare sector rose from 322 in 2017 to 506 in 2018. Out of the 506 breaches reported, 120 were snooping incidents, 15 were ransomware and other cyberattacks, while the remaining 371 were due to lost, stolen or misdirected health information, records not properly secured and other collection, use and disclosure issues.

According to the Information and Privacy Commissioner of Ontario, the rise in snooping incidents wasn’t indicative of the rise of snooping incidents, but rather health information custodians have better methods of detection, such as the use of using data analytics to monitor and audit health information systems for unauthorized access and other types of health privacy breaches. The Information and Privacy Commissioner of Ontario also noted that the rise of self-reported breaches in the healthcare sector rose as health information custodians are now required to report breaches, unlike in previous years where it was only recommended to do so.

Cyber Attacks: A Growing Concern in Health Care

In the 2018 Annual Report for the Information and Privacy Commissioner of Ontario to the Legislative Assembly of Ontario, Commissioner Brian Beamish said that in 2018, Ontario’s health care sector was a prime target of ransomware and other cyber-attacks, with victims ranging from local health integration networks to long-term care facilities.

In June 2018, CarePartners, a home care service provider to Ontario's Local Health Integration Networks (LHINs) and an Ontario-based community health care agency, reported a data breach to the Information and Privacy Commissioner of Ontario. “The cyber-attack breached CarePartners' computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed by the perpetrators,” CarePartners said in a statement. The health care agency, however, didn’t specify the extent of the data breach in the public statement.

Commissioner Beamish said that cyber-attacks, in particular ransomware attacks, underscored the importance of the following:

  1. Employee training and awareness of the serious threat posed by ransomware;
  2. Tangible benefits of regular data backups of electronic files; and
  3. Significant value of antivirus software that helps prevent, detect and remove malware through regular, real-time scans.

In the area of snooping or unauthorized access to health information by authorized users of health information systems, Commissioner Beamish said artificial intelligence can be used to curb unauthorized access. "When deployed properly, technology that identifies anomalous behaviour is a valuable tool for health information custodians, to not only detect and deter unauthorized snooping but to immediately identify and respond to cybersecurity threats,” Commissioner Beamish said.

Healthcare organizations are a prime target for cybercriminals. Let us help you protect patient information and mitigate IT security related risks.

Contact us today to get started.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit