Notification of Breach
It is with extreme regret that we wish to advise of a brief security breach to our administrative email account, firstname.lastname@example.org, on September 28th, 2021. From what we have been able to determine over the last number of months, an unknown third party gained temporary access to the account and its contents (either through password deciphering or “brute force” methods to bypass it). The independent IT experts we consulted have indicated that the scope of the breach was likely contained by the almost immediate changing of the account password, and we have no reason to suspect any additional breaches since the original incident.
Clients who had previously provided explicit consent to email communication from the MLC were notified of the breach via email on Sept. 30th, 2021, with a follow-up email on October 15th, 2021. To-date, the MLC has not received any client or staff reports of adverse events resulting from the breach.
The extent of the information potentially compromised as a result of the breach, is that which was contained in emails to and from our main account, as well as audio recordings of voicemails to our main phone line, and faxes. Please Note: The Mindful Living Centre’s (MLC’s) 256 bit encrypted, PIPEDA/HIPAA compliant software program, the Jane app, which electronically houses sensitive client file information (i.e., session notes, clients’ addresses, doctor info., etc.) was NOT affected by this breach. In addition, we do not store, receive, nor send credit card or any other financial information via email. We have no information to suggest that emails to our therapists’ personal email accounts, and voicemails to our therapists’ individual extensions, were subject to the breach.
Upon investigation and consultation with our email provider, an independent IT security expert, and the Information and Privacy Commissioner of Ontario (IPC) at the time of the breach, we took/have committed to undertaking, the following steps to prevent future breaches:
- Passwords to be changed with greater frequency
- MLC Associates were reminded of the “Protecting Personal Health Information” section in the MLC Policy and Procedures Manual, with a recommendation that they review it immediately and regularly.
- MLC Associates and staff were reminded to ensure Anti-malware protection is installed on their devices and to have virus scans run regularly.
- On November 13th, 2021, the MLC changed email providers to ensure the use of the built-in security features such as 2FA, DKIM, Encryption, etc. All MLC email accounts now include built-in anti-malware and anti-spam filtering.
- On March 25/2022, the MLC held a training presentation on Cybersecurity, and additional training will be offered as new information becomes available.
If you have questions or concerns regarding this breach, please contact Neeta or Tanya at our office at (289) 270-1757.
If we are unable to resolve your concerns, you may choose to submit a formal complaint to the IPC directly at:
Information and Privacy Commissioner of Ontario
2 Bloor Street East Suite 1400 Toronto, ON, M4W 1A8
Telephone: 416 326 3333 or 1 800 387 0073 TTY: 416 325 7539 www.ipc.on.ca
Our Commitment to Privacy
Personal & Private information is regulated in Ontario under the Personal Health Information Privacy Act, 2004 (PHIPA) and in Canada under the Personal Information Protection and Electronic Documents Act, 2004 (PIPEDA). More information can be found on The Information and Privacy Commission of Ontario’s website (www.ipc.on.ca).
At The Mindful Living Centre, personal health information may be collected in person or online in order to facilitate the provision of our services. In addition, personal contact information may be collected from the website with your consent in order to provide further information about our services.
There are circumstances in which The Mindful Living Centre is ethically or legally obligated to release private information by law. These circumstances include:
– if there is an immediate and significant threat to the health and safety of the client or another identifiable person
– if a child under 16 years of age, or an individual in a long-term care facility is at risk of harm or abuse
– if a client reports that they have been sexually assaulted by another regulated professional
The Mindful Living Centre may also be required to release private information if access is requested by a Court of Law.
Some private information may be released to third parties, such as insurance companies or legal professionals, for administrative purposes. Information released to third parties may include legal name, billing information, and the details of your appointments (i.e., date, time, duration, number of visits, fee).
Some personal data may be used to measure client satisfaction and the effectiveness of the treatment received at The Mindful Living Centre. This information is presented anonymously and does not include any of the details of your services.
Contact information (such as email) may occasionally be used to inform clients of other services or special announcements made by The Mindful Living Centre, with your consent. If you do not want to receive these emails you can opt out at any time by notifying our Clinic Coordinators. The Mindful Living Centre complies with Canada’s Anti-Spam Legislation (CASL) which requires email contact to end 2 years from the last point of service.
Personal information is secured when not being used for the delivery of our services. In addition, our website has security measures in place to ensure safe usage and protection of any personal information collected while using the website.
Personal information is kept for a minimum of 10 years from the last instance of service you have received from The Mindful Living Centre, or 10 years following the client’s 18th birthday. After this point, paper and electronic sources of personal information are destroyed. These practices are in accordance with The College of Psychologists in Ontario.
Electronic Communication Risks
The Mindful Living Centre (MLC) places great value in maintaining the privacy and confidentiality of our client’s personal health information. As a part of this commitment, we strive to educate our clients on the potential risks to email communication so that we can collectively work towards protecting your privacy. With your consent, email you receive from the MLC may consist of general information about the Centre and its services, information about scheduling (e.g., available appointment dates and times, appointment booking notifications, appointment reminders) and billing. Persons accessing emails from you will be limited to our administrative personnel and your assigned therapist. Due to the security risk associated with email communication, the MLC encourages clients to avoid sending sensitive personal health information over email whenever possible.
The MLC offers clients the opportunity to communicate by email. The MLC uses reasonable means to protect the security and confidentiality of email information sent and received. However, because of the risks outlined below, the MLC cannot fully guarantee the security and confidentiality of email communication:
– Email can inadvertently be sent to the wrong recipient.
– Email communications can be forwarded, intercepted, stored or changed without the knowledge or permission of the original sender, and may also be vulnerable to hacking by third parties.
– Email can inadvertently introduce malware to your computer system.
– Employers and online services may have the right to inspect and keep emails that pass through their system
– It is impossible to verify the true identity of the sender or to ensure that they are the only recipient that will read the email.
– Email is often accessed on portable devices (i.e., phones and laptops) which are vulnerable to theft and loss.
– Email can be used as evidence in court.
– Even if an email is deleted, a backup copy may still exist on your computer.
Consent to the use of email to and from the MLC office includes your agreement and acknowledgement of the following:
– Please inform us of any changes in email address or if you wish to change your email communication preferences (such as appointment confirmations/reminders etc.).
– Please refrain from using email for emergencies or other time-sensitive matters.
– Emails may be printed and stored as a part of your clinical record. Should other individuals (e.g., insurance company, court) be authorized to access your record, access to those emails could occur.
Your personal or sensitive information is best discussed in person or over the phone. Your therapist may use caution by not discussing such matters over email.
I acknowledge that I have read and fully understand the MLC email communication consent forms and the risks associated with using email communication, and consent to the conditions outline herein. I have had the opportunity to clarify and questions I may have had. I understand that by signing this form electronically, I agree that my electronic signature is the equivalent of my manual/handwritten signature.
Phone or Text: (289) 270-1757 Fax: (289) 270- 1751 Email: email@example.com
Milton, ON Location: 400 Bronte Street South, Unit 219 Burlington, ON Location: 5045 Mainway Avenue, Unit 204
For general information on privacy legislation, contact the Information and Privacy Commission of Ontario:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8
Phone (416) 326-3333 | 800- 387- 0073 | Fax (416) 325-9195 | TTY (416) 325-7539 www.ipc.on.ca
You can also contact The College of Psychologists of Ontario:
110 Eglington Avenue West, Suite 500 Toronto, Ontario M4R 1A3
Phone: (416) 961-8817 | (800) 489-8388 | Fax (416) 961-2635 www.cpo.on.ca