Privacy Breach: Assessing the Real Risk of Significant Harm

A real-life medical record horror story took place this summer when a group held for a company for ransom that provides home medical care services on behalf of the Ontario government. The security breach included thousands of patient medical records with contact information, health card numbers and detailed histories that ranged from diagnoses, procedures and care plans.

Some even involved active credit card numbers and expiry dates with security codes.

Real Risk of Harm

That’s an extreme example of what’s possible, but the  new rule changes to Canada’s federal private sector privacy law — including physician practices — that came into effect on November 1, 2018 means that you must report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm.”

So how do you define that? What is a real risk of significant harm (RROSH)?

It’s up to your practice to develop a framework for how to assess this and ensure consistency.  Some factors to keep in mind, according to the Office of the Privacy Commissioner of Canada, include both the sensitivity of the personal information involved in the breach; and the probability that the personal information has been, is being, or will be misused. It makes things like outsourcing medical transcription services to a company with a proven track record of protecting patient privacy an important consideration.

Although the Personal Information Protection and Electronic Documents Act (PIPEDA) that generally serves as Canada’s legal security basis (with provinces able to adopt their own fundamentally similar versions) doesn’t define sensitivity, it does specifically refer to medical records as “almost always being considered sensitive.”

The potential harm to an individual is the most important consideration.

Below are some key questions to ask regarding the probability of misuse, according to the privacy office.

  • What happened (information lost, inappropriately accessed or stolen) and how likely is it that someone would be harmed by the breach?
  • Who actually accessed or could have accessed the personal information?
  • How long has the personal information been exposed?
  • Is there evidence of malicious intent (e.g., theft, hacking) or has harm materialized?
  • Were a number of pieces of personal information breached, thus raising the risk of misuse?
  • Is the breached information in the hands of an individual/entity that represents a reputation risk to the individual(s) in and of itself? (e.g. an ex-spouse or a boss depending on specific circumstances)
  • Was the information exposed to individuals/entities who have a low likelihood of sharing the information in a way that would cause harm? (e.g. in the case of an accidental disclosure to unintended recipients)
  • Is the personal information adequately encrypted, rendered anonymous or otherwise not easily accessible?

Next up:  The importance of keeping records.


2Ascribe Inc. is a medical transcription services agency located in Toronto, Ontario Canada, providing medical transcription services to physicians, clinics and other healthcare providers across Canada. Our medical transcriptionists take pride in the quality of your transcribed documents. WEBscribe is our client interface portal for document management. 2Ascribe continues to implement and develop technology to assist and improve the transcription process for physicians and other healthcare providers, and recently introduced AUTOfax. AUTOfax works within WEBscribe to automatically send faxes to referring physicians when a document is signed off by the healthcare professional. As a service to our clients and the healthcare industry, 2Ascribe offers articles of interest to physicians and other healthcare professionals, medical transcriptionists and office staff, as well as of general interest. Additional articles may be found at

You might also enjoy

AI Bias

The results created by an AI model can be considered