Monthly Breach Tracking

The Information and Privacy Commissioner (IPC) of Ontario requires that all Health Information Custodians track and annually submit the number of privacy breaches in their office (read more info about this requirement on the IPC website).

There are four categories of breaches you must report for. They are breaches where Personal Health Information (PHI) is:

• Stolen
• Lost
• Used without authority (snooping)
• Disclosed without authority

Do not count an incident more than once. If you are reporting an incident that includes more than one of the categories listed above, choose the category that it best fits. For example, if an employee accessed PHI without authority, and then disclosed the information, count that incident as either a use OR a disclosure, but NOT both.

Monthly Breach Tracking Form

Please enable JavaScript in your browser to complete this form.

Name of Person Completing the Report: *

Enter your email address (to receive a copy of this report): *

Please enter the year you are reporting for: *

• 2023
• 2024
• 2025
• 2026

Are you reporting for a solo physician, or a group practice? *

• Solo Physician
• Group Practice

Name of the group practice you are completing the report for: *

First name of the solo physician you are completing the report for: *

Last name of the solo physician you are completing the report for: *

In the month you are reporting for, did you conduct an EMR audit? *

• Yes
• No, not this month

The IPC requires that all Health Information Custodians conduct at least one audit of their EMR each year to determine if any patient records have been accessed inappropriately (i.e. snooping) by team members. Not sure how to do an EMR audit? Download and follow our audit guides on our privacy page, or contact your assigned HFHT Quality Improvement Specialist for support.

Please enter the month you are reporting for: *

• Jan
• Feb
• March
• April
• May
• June
• July
• Aug
• Sept
• Oct
• Nov
• Dec

In the month you are reporting for, have there been any incidents where personal health information was stolen, lost, used without authority, or disclosed without authority? *

• Yes (you will be prompted to provide more information)
• No (you will be taken to the final section of this form)

Section 1: Stolen PHI (Personal Health Information)

1. In the month you are reporting for, have their been any incidents where PHI was STOLEN? (Example: Your clinic was broken into; a laptop or USB was stolen; your EMR was hacked; etc.)

• Yes
• No

1a. In the month you are reporting for, how many incidents occurred where PHI was STOLEN? Please enter a number in the text box.

1b. If you are reporting on behalf of a group practice, please enter the last name of the physician(s) to whom the breach(es) apply.

Optional

1c. In the month you are reporting for, what kind of thefts occurred in your practice? Check all that apply from the list below

• Theft by an internal party (i.e. employee, electronic service provider, etc.)
• Theft by a stranger
• Theft as a result of a ransomware attack
• Theft as a result of another type of cyber attack
• Theft where paper records were stolen
• Other Theft

1d. In the month you are reporting for, how many people were affected by incidents where PHI was STOLEN?

• One individual was affected
• 2-10 individuals were affected
• 11-50 individuals were affected
• 51-100 individuals were affected
• Over 100 individuals were affected
• Unknown

Section 2: Lost PHI (Personal Health Information)

2. In the month you are reporting for have there been any incidents where PHI was LOST? (Example: a package sent by courier never arrived at its final destination; an unencrypted USB key with patient information on it went missing; etc.)

• Yes
• No

2a. In the month you are reporting for, how many incidents occurred where PHI was LOST? Please enter a number in the text box.

2b. If you are reporting on behalf of a group practice, please enter the last name of the physician(s) to whom the breach(es) apply.

Optional

2c. In the month you are reporting for, what kind of losses occurred in your practice? Check all that apply from the list below.

• The loss was a result of a ransomware attack
• The loss was a result of another type of cyberattack
• Unencrypted, portable electronic equipment (i.e. USB key, laptop) was lost
• Paper records were lost
• Other

2d. In the month you are reporting for, how many people were affected by incidents where PHI was LOST?

• One individual was affected
• 2-10 individuals were affected
• 11-50 individuals were affected
• 51-100 individuals were affected
• Over 100 individuals were affected
• Unknown

Section 3: PHI (Personal Health Information) USED WITHOUT AUTHORITY (SNOOPING)

3. In the month you are reporting for have there been any incidents where PHI was USED WITHOUT AUTHORITY (SNOOPING)? (Example: a patient reads another patient's chart; a staff member looks at a neighbour's chart out of curiosity; etc.)

• Yes
• No

3a. In the month you are reporting for, how many incidents occurred where PHI was USED WITHOUT AUTHORITY (SNOOPING)? Please enter a number in the text box.

3b. If you are reporting on behalf of a group practice, please enter the last name of the physician(s) to whom the breach(es) apply.

Optional

3c. In the month you are reporting for, what kind of unauthorized uses occurred in your practice? Check all that apply from the list below.

• Unauthorized use was through electronic systems
• Unauthorized use was through paper records
• Other

3d. In the month you are reporting for, how many people were affected by incidents where PHI was USED WITHOUT AUTHORITY?

• One individual was affected
• 2-10 individuals were affected
• 11-50 individuals were affected
• 51-100 individuals were affected
• Over 100 individuals were affected
• Unknown

Section 4: PHI (Personal Health Information) DISCLOSED WITHOUT AUTHORITY?

4. In the month you are reporting for have there been any incidents where PHI was DISCLOSED WITHOUT AUTHORITY? (Example: a patient's health records were faxed or emailed to the wrong person; health info was released to the media; etc.)

• Yes
• No

4a. In the month you are reporting for, how many incidents occurred where PHI was DISCLOSED WITHOUT AUTHORITY? Please enter a number in the text box.

4b. If you are reporting on behalf of a group practice, please enter the last name of the physician(s) to whom the breach(es) apply.

Optional

4c. In the month you are reporting for, what kind of unauthorized disclosures occurred in your practice? Check all that apply from the list below.

• Unauthorized disclosure was through misdirected faxes
• Unauthorized disclosure was through misdirected emails
• Other

4d. In the month you are reporting for, how many people were affected by incidents where PHI was DISCLOSED WITHOUT AUTHORITY?

• One individual was affected
• 2-10 individuals were affected
• 11-50 individuals were affected
• 51-100 individuals were affected
• Over 100 individuals were affected
• Unknown

Submit