Addressing a Data Breach
This Data Path describes a conversation between a patient and a hospital privacy officer in regard to a data breach.
Download 
Share a Link 
My name is Euan Blake. I just got a letter telling me that my health information has been compromised because the hospital has had a privacy breach.
Hello. Thank you for contacting me. I am the privacy officer for the hospital. Yes, unfortunately we became aware of the incident and have notified many individuals who were affected.
Well... can you tell me how did this happen?
We are conducting a full investigation of the incident. What we do know is that there was a cyber-attack on our health system by an unauthorized third party and there were many records that appear to have been accessed inappropriately. I assure you we are doing everything we can to resolve the issue.
This is very upsetting. It says that my entire record was leaked, including my name, address, my health card number, my health conditions, my credit card, and just about everything else about me that you had on file.
I understand that you are upset and I hope I can answer your questions. We are working with the Canadian Centre for Cyber Security and the RCMP to conduct a thorough investigation.
What am I supposed to do now? Does this mean that anyone can see my information on the internet?
We cannot say for certain who has information about you at this time. However, we are working through a breach protocol to gain better insights on the nature and extent of the incident. We will keep you updated, but the best thing for you to do right now is to contact your financial institution and ask about credit monitoring, and you can also contact one of the credit bureaus like TransUnion or Equifax. We will cover specific costs associated with monitoring.
Well I guess that will help protect my finances, but it won't take away the feeling I have that someone can know all of the procedures and health issues I've had. I don't even tell my closest friends this stuff. This makes me not want to share anything about me anymore.
I know that this is frustrating and makes you uneasy. I assure you that we have policies and procedures in place and are making enhancements to our data practices and security so this won't happen again. We will be sending you more information on other steps that can be taken to protect your information, along with information to advise you in case you become a victim of identity theft.
Thank you for your help. I know you are doing what you can and you are not personally responsible for causing this, however this doesn't feel good. Right now, I am left feeling like I cannot trust my own doctors and nurses (or hospital/clinic) with sensitive information about me. I'm anxious that someone is going to see that I have a medical condition that I really didn't want anyone to know about - not even my own family! Also, what happens if someone uses my health information against me or steals my identity to open a bank account and then that can affect my credit score? There are just a lot of unknowns here that make me uneasy. Either way, I will do as you've suggested and will wait to hear an explanation from you on how exactly this happened and what you are doing to make sure it never happens again.
For purposes of this Data Path, Canadian terminology and definitions have been used for consistency. We acknowledge that different jurisdictions and/or data protection regulations include different terms or definitions to describe similar concepts. Please refer to the FAQs for further information.