What is a Privacy Breach?

Executive Summary

We gathered some interesting information from the Office of the Privacy Commissioner of Canada regarding privacy breaches and summarized it in this article.

Privacy breaches are a security risk that has become more prevalent in the last many years with advances in technology and use of electronic information. Privacy breaches can cause long-term consequences for organizations due to the loss of customer trust. Below are a few preventative measures that can be taken to towards hindering the risk of privacy breaches. 

We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.

What is a Privacy Breach?

A privacy breach occurs when there is unauthorized access to collection, use or disclosure of information. Some of the most common instances of a privacy breach happen when the personal information of a patient, customer or client is stolen, lost or mistakenly disclosed. A privacy breach can cause long-term and short-term consequences for an organization. Outlined below are some steps to take when faced with a privacy breach:

  • Preliminary Assessment - In the case of a breach, immediately contain the breach. Designate the appropriate individual and team to research and investigate the breach. 
  • Identify Risks Associated with the Breach - To accurately determine the risk, the organization should take into account the personal information involved, the individuals affected by the breach, the cause and extent of the breach as well as the possible harm from the breach.
  • Notification - All liable and involved parties must be informed of the breach. Additionally, the organization should remember their legal and contractual obligations and the risks involved in the breach.
  • Prevention of Breaches - Outlined below are a few preventative measures that can be taken to assure that a breach is not repeated.

How to Prevent a Privacy Breach

  1. Know what information you obtain - Data inventories and process maps are tools that will help to ensure you know exactly what information needs protection. Keeping track of the data you obtain will ensure that you are aware of when and where you need to protect it.
  2. Know your vulnerabilities - Conducting assessments/tests within the organization in regards to privacy ensures that threats can be identified. Notice your organizations weak points to work towards stopping and identifying possible breaches.
  3. Know the industry - Keep tabs on other breaches that occur in the same industry. Often breachers will use the same attacks on multiple organizations. Pay attention to news alerts and other information related to the industry of your organization.
  4. Encryption - Some of the most common cases of breaches come from loss, theft and unencrypted files. Encrypting these files will add a layer of protection on the information.
  5. Limit the collection of personal information and retention -   Know if the collection of said information is required. Additionally, if the personal information is collected for a selected or limited purpose, safely dispose of it after use.
  6. Know when information is no longer needed - Many breaches occur on files that have been left alone for long periods of time. Knowing when to dispose of information can prevent breaches of personal information.
  7. Employee training - Ensure that the employees are trained and aware of ongoing privacy and security policies. Having constant training and awareness programs will ensure that all ground is covered and employees know how to prevent a breach and protect information.
  8. Limit access to information - Access to personal information should be limited to what needs to be known. Monitored access logs can help identify unusual information.
  9. Updated software and safeguards - Establish an up to date process to ensure that security-related patches are applied. Ensure that the virus and malware definitions are up to date and working correctly.
  10. Monitor and implement intrusion prevention - Ensure that a system is in place to prevent intrusions and that there is a monitoring network to track information and intruders.