Healthcare Sector Breach Reports Rise After Mandatory Reporting Implementation

Healthcare Sector Breach Reports Rise After Mandatory Reporting Implementation

The Office of the Information and Privacy Commissioner of Alberta recently released an annual report, covering the period of April 1, 2018 to March 31, 2019, showing a 407% increase in healthcare sector data breaches. The spike of healthcare sector data breach reports was similarly seen in Ontario.

The period covered by the annual report includes only seven months of mandatory breach reporting in the healthcare sector in Alberta. Alberta’s Health Information Act took effect on August 31, 2018, mandating the more than 54,900 health information custodians in the province, including Alberta Health, Alberta Health Services, Covenant Health, nursing homes, physicians, registered nurses, pharmacists, optometrists, opticians, chiropractors, podiatrists, midwives, dentists, denturists and dental hygienists to notify an individual affected by a privacy breach as well as notify the Information and Privacy Commissioner of Alberta and the Minister of Health.

The Alberta law also provides penalty provisions in case the health information custodian fails to report a breach or fails to take reasonable steps in maintaining safeguards to protect health information.

The Office of the Information and Privacy Commissioner of Alberta reported that a total of 674 breaches were reported under Alberta’s Health Information Act during the period of April 1, 2018 to March 31, 2019, representing a 407% increase compared to the reported average of 130 healthcare sector data breaches for the last few years.

In the report written by Jill Clayton, Information and Privacy Commissioner of Alberta, many of the healthcare sector data breaches are relatively easy to address, requiring only the health information custodians to notify the affected individuals and to take preventive steps to prevent similar events from re-occurring in the future. A significant number of these cases, Clayton said, are much more serious, involving law violation and affecting hundreds to thousands of Albertans. A significant number of these cases, Clayton said, often becomes offense investigations and can result in significant court-imposed fines for offending parties.

The Information and Privacy Commissioner of Alberta said that active offense investigations have risen from 5-6 at any one time to over 20 as of September 30, 2019, with nearly 70 healthcare sector data breaches flagged as potential offenses. Since Alberta’s Health Information Act took effect on August 31, 2018, the Commissioner said there have been 10 convictions for knowingly accessing health information under the said Alberta law.

The Commissioner also reported that since the Health Information Act took effect, more snooping breaches – unauthorized access to health information by authorized users of health information systems – have been reported. “Cyberattacks were also reported more frequently, which is a concern that will need to be monitored,” the Information and Privacy Commissioner of Alberta said.

Healthcare Sector Data Breach Reports in Ontario

The spike of healthcare sector data breach reports was similarly seen in Ontario. In late 2017 Ontario’s Personal Health Information Protection Act took effect, requiring health information custodians, including hospitals, pharmacies, doctors’ offices, and dental clinics to report health privacy breaches to the Information and Privacy Commissioner of Ontario.

In the period covering the first full year of the mandatory healthcare sector breach reporting, from January 1 to December 31, 2018, the Information and Privacy Commissioner of Ontario reported that self-reported breaches in the healthcare sector rose from 322 in 2017 to 506 in 2018. Out of the 506 breaches reported, 120 were snooping incidents, 15 were ransomware and other cyberattacks, while the remaining 371 were due to lost, stolen or misdirected health information, records not properly secured and other collection, use and disclosure issues.

According to the Information and Privacy Commissioner of Ontario, the rise in snooping incidents wasn’t indicative of the rise of snooping incidents, but rather health information custodians have better methods of detection, such as the use of using data analytics to monitor and audit health information systems for unauthorized access and other types of health privacy breaches. The Information and Privacy Commissioner of Ontario also noted that the rise of self-reported breaches in the healthcare sector rose as health information custodians are now required to report breaches, unlike in previous years where it was only recommended to do so.

Cyber Attacks: A Growing Concern in Health Care

In the 2018 Annual Report for the Information and Privacy Commissioner of Ontario to the Legislative Assembly of Ontario, Commissioner Brian Beamish said that in 2018, Ontario’s health care sector was a prime target of ransomware and other cyber-attacks, with victims ranging from local health integration networks to long-term care facilities.

In June 2018, CarePartners, a home care service provider to Ontario's Local Health Integration Networks (LHINs) and an Ontario-based community health care agency, reported a data breach to the Information and Privacy Commissioner of Ontario. “The cyber-attack breached CarePartners' computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed by the perpetrators,” CarePartners said in a statement. The health care agency, however, didn’t specify the extent of the data breach in the public statement.

Commissioner Beamish said that cyber-attacks, in particular ransomware attacks, underscored the importance of the following:

1. Employee training and awareness of the serious threat posed by ransomware;
2. Tangible benefits of regular data backups of electronic files; and
3. Significant value of antivirus software that helps prevent, detect and remove malware through regular, real-time scans.

In the area of snooping or unauthorized access to health information by authorized users of health information systems, Commissioner Beamish said artificial intelligence can be used to curb unauthorized access. "When deployed properly, technology that identifies anomalous behaviour is a valuable tool for health information custodians, to not only detect and deter unauthorized snooping but to immediately identify and respond to cybersecurity threats,” Commissioner Beamish said.

Healthcare organizations are a prime target for cybercriminals. Let us help you protect patient information and mitigate IT security related risks.

Contact us today to get started.