The digital age necessitates that data be handled carefully. The imminent threat that’s prevalent with unauthorized access to personal data should not be underestimated.
Saskatoon privacy commissioner emphasized that private clinics should be included in provincial health protection act. The commissioner’s sensitization comes after a cyberattack was unleashed against a Saskatoon sports rehab clinic. The cyberattack has raised questions on how private clinics in Saskatchewan should handle personal information.
The internet of things has made it possible for anyone with a malicious intent to unleash an attack from nearly any part of the globe. That was the case in the Pro Sport Rehab and Fitness which was targeted by a ransomware attack on its medical record database.
The incident which took place in October saw the patient information in the database encrypted and held for ransom by hackers. Shortly after the cyberattack was unleashed by the hackers, the clinic’s owner informed the Saskatchewan Information and Privacy Commissioner to seek guidance.
The privacy commissioner conducted an investigation which revealed that addresses, phone numbers and health-care numbers were included in the database and affected by the cyberattack. Unfortunately, the Saskatchewan's Health Information Protection Act does not include private clinics in its private Health Information Protection Act.
Commissioner Ronald Kruzeniski reported that corporations that provide health services in Saskatchewan, such as Pro Sport, are not covered by the definition of trustee in HIPA is wrong. This brings in a few challenges in that citizens do not have the same access and privacy rights and protections with respect to their personal health information.
A statement released by the privacy commissioner said he had brought the issue up to the provincial government many times in the past, but private clinics remain outside of the privacy law. The Commissioner revealed that majority of the citizens in Saskatchewan may not know if the personal health information entrusted to their health-care provider is protected by HIPA.
As a result, the privacy commissioner emphasized that Pro Sport should only collect health-care numbers of clients where the care provided is paid for by the public system. He also emphasized that Pro Sport should destroy all health services numbers in its database that aren't necessary.
The commissioner also recommended that the clinic should inform all the affected individuals about the ransomware breach. Kruzeniski said that the company ought to follow privacy best practices. Such practices include ensuring that only authorized persons access the database.