Breaches

The Health Information Act (HIA) establishes penalties for anyone who knowingly collects, misuses, or discloses health information and/or who gains or attempts to gain access to health information in contravention. Penalties include criminal charges, fines or disciplinary measures within their licensing or professional organizations.

An information privacy or security breach occurs when:

  • There is a violation of HIA
  • The rules for accessing confidential information are not followed
  • There is a lapse in security safeguards that potentially led to either of the above
    All suspected Alberta Netcare breaches must be reported by emailing the completed Provincial Reportable Incident Response Process (PRIRP) form to the Alberta Health Security team at AHSecurity@gov.ab.ca

Breach data

A total of 674 breaches were reported under the Health Information Act (HIA) in 2018-19 – a 407% increase from the previous year. The majority of these cases were human-error based resulting from misguided mail, fax or email. Of these, two types of breaches pose significant health and safety consequences. First, breaches that result in a patient given the wrong medication from their pharmacist. Second, breaches where a patient receives the wrong requisition to take to their lab risking the wrong tests being administered.

Breach trends over the past few years

  • Mostly malware, hacking, and phishing incidents within the private sector
  • Rogue employees accessing health information outside their role
  • Human error continues to be the leading cause of breaches in the health sector
  • Theft is still a pervasive cause of breaches in all sectors


Other observations

  • Snooping and human error breaches continue – prescription error increase (close to 20%)
  • Complexity increasing with purposeful attacks (i.e., ransomware & malware)
  • A rise of breach reports that lead to offense investigations
  • 16 offense investigations open
  • 34 under-examination investigations open
  • 10 convictions under the HIA 

For more information on mandatory Breach Reporting, please visit the Mandatory breach reporting webpage.



If you require support, please visit our Contact Us page.