It is with extreme regret that we wish to advise of a brief security breach to our administrative email account, info@mindfullivingcentre.ca, on September 28th, 2021. From what we have been able to determine over the last number of months, an unknown third party gained temporary access to the account and its contents (either through password deciphering or “brute force” methods to bypass it). The independent IT experts we consulted have indicated that the scope of the breach was likely contained by the almost immediate changing of the account password, and we have no reason to suspect any additional breaches since the original incident.
Clients who had previously provided explicit consent to email communication from the MLC were notified of the breach via email on Sept. 30th, 2021, with a follow-up email on October 15th, 2021. To-date, the MLC has not received any client or staff reports of adverse events resulting from the breach.
The extent of the information potentially compromised as a result of the breach, is that which was contained in emails to and from our main account, as well as audio recordings of voicemails to our main phone line, and faxes. Please Note: The Mindful Living Centre’s (MLC’s) 256 bit encrypted, PIPEDA/HIPAA compliant software program, the Jane app, which electronically houses sensitive client file information (i.e., session notes, clients’ addresses, doctor info., etc.) was NOT affected by this breach. In addition, we do not store, receive, nor send credit card or any other financial information via email. We have no information to suggest that emails to our therapists’ personal email accounts, and voicemails to our therapists’ individual extensions, were subject to the breach.
Upon investigation and consultation with our email provider, an independent IT security expert, and the Information and Privacy Commissioner of Ontario (IPC) at the time of the breach, we took/have committed to undertaking, the following steps to prevent future breaches:
Passwords to be changed with greater frequency
In September/October, 2021, the MLC reviewed its Privacy Policy and Personal Health Information Safeguarding Guidelines to ensure they were up-to-date.
MLC Associates were reminded of the “Protecting Personal Health Information” section in the MLC Policy and Procedures Manual, with a recommendation that they review it immediately and regularly.
MLC Associates and staff were reminded to ensure Anti-malware protection is installed on their devices and to have virus scans run regularly.
On November 13th, 2021, the MLC changed email providers to ensure the use of the built-in security features such as 2FA, DKIM, Encryption, etc. All MLC email accounts now include built-in anti-malware and anti-spam filtering.
On March 25/2022, the MLC held a training presentation on Cybersecurity, and additional training will be offered as new information becomes available.
As an individual, you can protect yourself by deleting any suspicious emails from info@mindfullivingcentre.ca, particularly those in another language and/or containing unexpected or questionable attachments. We would advise that you do not open such attachments, and contact our office to determine authenticity, if needed. As outlined in our Privacy Policy, we strongly discourage the sharing of sensitive or personal health information via email.
If you have questions or concerns regarding this breach, please contact Neeta or Tanya at our office at (289) 270-1757.
If we are unable to resolve your concerns, you may choose to submit a formal complaint to the IPC directly at:
Information and Privacy Commissioner of Ontario
2 Bloor Street East Suite 1400
Toronto, ON, M4W 1A8
Telephone: 416 326 3333 or 1 800 387 0073
TTY: 416 325 7539
info@ipc.on.ca