IPC/Ontario issues basic cyber hygiene decision

On July 5th, the IPC/Ontario held that an Ontario medical clinic breached its PHIPA safeguarding duties by:

  • Allowing staff to use personal e-mail accounts to send patient information provided staff referred to patients only by by initials, medical reference numbers or accession numbers
  • Allowing the posting of login credentials (on sticky notes or the equivalent) to enable shared access to two computers
  • Failing to abide by the IPCs model for agent information and instruction, which requires annual privacy training and the re-signing of confidentiality agreements on an annual basis

The clinic self-corrected upon receiving the complaint, but not without defending its posting of login credentials by explaining that the two computers were physically secure and did not contain patient information. It shouldn’t have bothered. Its information and instruction failure aside, the clinic committed plain and basic network security wrongs. The IPC’s decision is notable for calling them out.

A Medical Clinic (Re), 2022 CanLII 61410 (ON IPC).