Privacy Incident & Breach Management

Policy Owner:  Chief Privacy Officer


Date of Last Revision:  Feb 27, 2026 - View History


Purpose 


This document establishes the plan for managing a Privacy Event. A Privacy Event means that Protected Health Information (PHI) or Personal Information (PI) has deviated from its intended path, resulting in potential unauthorized exposure.  There are two types of Privacy Events: 1) Privacy Incidents and 2) Privacy Breaches. This document offers information about how employees or incident responders respond to these events. 


Scope 


This policy covers all information security or data Privacy Events including Privacy Incidents and Privacy Breaches.


The following sections: Definitions, Responsibilities, Reporting and Procedure; are published publicly at 

https://about.caredove.com/legal/privacy-incident-breach-management


Definitions


Please see the Caredove Privacy Policy for related definitions of terms such as Protected Health Information (PHI), Personal Information (PI), and clarification of Canadian and U.S terminology for business entities (Canada: HICs / HINPs / Agents, USA: Business Associate / Covered Entity). For the purpose of this document, the PHIPA term “Health Information Custodian (HIC)” is used, but may be interpreted equivalently to ‘Covered Entity’ in the context of U.S. HIPAA.


Privacy Incidents and Breaches


A Privacy Event means that Protected Health Information (PHI) or Personal Information (PI) has taken a path it wasn’t intended to take, which potentially exposes it to unauthorized human eyes.  There are two types of Privacy Events: 1) Privacy Incidents and 2) Privacy Breaches.


A Privacy Incident includes:

  • A contravention of the privacy policies, procedures or practices implemented by Caredove, where this contravention does not result in unauthorized access, use, disclosure, loss or theft of Protected Health Information (PHI) and remains in compliance with applicable privacy law.
  • A contravention of agreements which Caredove enters into with external stakeholders and third party service providers, including but not limited to data sharing agreements, confidentiality and non-disclosure agreements and agreements with third party service providers retained by Caredove, where this contravention remains in compliance with applicable privacy law.
  • A suspected Privacy Breach.


A Privacy Breach includes:

  • The unauthorized acquisition, access, use, disclosure, loss or theft of PHI/PI that is not in compliance with applicable personal health privacy laws.


Privacy Breach or Incident exclusions:

The following situations are not considered Privacy Incidents or Breaches, provided they are assessed and determined to pose no real risk of significant harm under applicable privacy laws:

  • Authorized Access Within Policy Limits - Any access to PI/PHI that is permitted under the Caredove Privacy Policy.
  • Accidental Access by Authorized Personnel - Unintentional access, acquisition, or use of PHI by a workforce member acting within their authorized role, provided the information is not further used or disclosed improperly.
    (Example: A staff member unintentionally opens the wrong health record, immediately exits and accesses the correct one.)
  • Inadvertent Disclosures Between Authorized Personnel - PHI is inadvertently disclosed to another authorized individual within the same organization, and it is not further used or disclosed improperly.
    (Example: A staff member briefly sees a PHI record on a colleague’s screen but does not interact with or retain the information.)
  • Incidental Disclosures Where Retention Is Unlikely - A disclosure where the recipient was unlikely to retain or misuse the information.
    (Example: A search function displays names of unintended patients with the same first name, but no additional details are viewed or retained.)


Each situation will be reviewed on a case-by-case basis to confirm compliance with the Caredove Privacy Policy, and applicable privacy laws.


Except as provided in the exclusions, an unauthorized acquisition, access, use, or disclosure, loss or theft of PHI is presumed to be a Breach unless Caredove Inc or the external stakeholder or third party service provider demonstrates in a document risk assessment that there is a low probability that the PHI has been compromised. This assessment includes, at a minimum, the following factors:

  • Nature and sensitivity of the information, and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  • The nature of the unauthorized person who used the PHI or to whom the disclosure was made
  • The probability of misuse, using a reasonableness test to determine whether the PHI was actually acquired, accessed, used, disclosed, lost or stolen, and the risk of harm from misuse
  • The ongoing risk, considering the extent to which the risk to the PHI has been mitigated‍, and the extent to which the risk to PHI remains


Responsibilities


The Chief Privacy Officer (CPO) at Caredove is responsible for leading the design and operation of the Agency’s privacy program, including putting processes, practices and tools in place to manage, investigate and remediate Privacy Incidents or Breaches. The CPO is also responsible for handling the end-to-end Privacy Breach management efforts.


The CPO (or delegate) is responsible for classifying an event as either a Privacy Incident or Privacy Breach. This is done carefully, as the consequence of error in classification can be significant. Employees are to consult the internally available Privacy Event playbook. 


The CPO is considered the ultimate authority for interpreting, implementing, enforcing and maintaining this Policy. Where a Privacy Incident or Breach is intentional or the result of negligent work practices, disciplinary action will be taken up to and including termination of employment.


The CPO is responsible for monitoring compliance with this Policy. Caredove personnel and third party service providers must comply with this procedure.


All personnel and third party service providers are responsible for actively supporting the CPO in Privacy Incidents or Privacy Breach containment, investigation and remediation activities as needed. Some of these activities may occur concurrently.


Reporting


It is the Policy of Caredove Inc to provide timely notifications to the affected organizations about all Privacy Breaches of PHI involving Caredove that Caredove Inc becomes aware of. 


All personnel and third party service providers are responsible for immediately reporting suspected Privacy Incidents and Privacy Breaches to the CPO of Caredove. 


Personnel and third party service providers are required to provide a description of the Privacy Incident or Breach, the individuals involved and immediate steps taken, if any, to contain the Privacy Incident or Breach.


‍If an organization identifies a potential security event related to its use of Caredove, or determines that it is the source of a Privacy Breach, it must immediately notify the CPO of Caredove. 


Depending on the jurisdiction, Privacy Breaches which involve a real risk of significant harm may require further reporting to a privacy commission or similar body. Caredove Inc will work in partnership with affected organizations to facilitate this reporting.


Procedure


Phase 1 – Identification and Containment


Identification

If there is belief that a potential Privacy Breach of PHI has occurred, the CPO, or their designated representative, must be immediately notified.


The notification of potential Privacy Breach is to include the following:

  • Names
  • Dates
  • The nature of the PHI potentially breached
  • The manner of the disclosure (fax, email, mail, verbal)
  • All employees involved
  • The recipient
  • All other persons with knowledge
  • Any associated written or electronic documentation that may exist. 

Notification and associated documentation may itself contain PHI and should only be given to the CPO or their designated representative.


Containment

The containment phase of the Privacy Incident and Breach management process focuses on confirming that a Privacy Incident or Breach has transpired, preventing additional information assets from being affected, ensuring affected information assets are not further compromised, minimizing adverse impact to all parties and restoring normal operation as quickly as possible.


Examples of containment activities may include:

  • Suspending the unauthorized practice that resulted in the Privacy Incident or Breach;
  • Recovering affected records containing PI/PHI;
  • Shutting down the system that was breached;
  • Revoking access permanently or temporarily to a system; and
  • Contacting law enforcement (if the Privacy Breach involves theft or other criminal activity).

It is the policy of Caredove that all reported Privacy Incidents and Breaches shall be contained immediately. Immediate containment of Privacy Incidents will help to prevent them from becoming Privacy Breaches and immediate containment will help to prevent further unauthorized collection, use and/or disclosure of PI/PHI.


Phase 2 – Investigation & Risk Assessment


Investigation

Once a Privacy Incident or Breach has been appropriately contained, it shall be investigated by the CPO. Investigation will identify the root cause of the Privacy Incident or Breach as well as the information assets, individual(s)/organization(s), and IT systems and hardware involved in the Privacy Incident or Breach.

The investigation shall include the following activities:

  • Interviewing employees involved
  • Interviewing Caredove user organizations (as needed)
  • Collecting written documentation
  • Completing all appropriate documentation
  • Conducting a forensic investigation (optional depending on the nature of the Privacy Event)

Based on the findings of the investigation, the CPO determines short-term and long-term remediation strategies which are documented in a Privacy Breach Management Report. The recommendations from the investigation shall be implemented within the stated time frame. The Privacy Breach Management Report shall be logged in the corporate compliance database.


Sanctions or re-training shall be applied to all workforce members who caused or created the conditions that allowed the Privacy Breach to occur, according to Caredove's Sanction Policy


Risk Assessment

Upon completion of the investigation, the CPO, or their designated representative, shall perform and document the Risk Assessment and make a recommendation to executive management and/or legal counsel regarding whether notification to the Health Information Custodian (HIC) (or “Covered Entity”) of the potential Privacy Breach would be prudent.


When executing the risk assessment, a “reasoned judgment” standard will be applied to the Privacy Event, which shall be fact-specific and shall consider the following factors:

  • Did the disclosure involve Unsecured PHI in the first place? 
  • Who impermissibly used or disclosed the Unsecured PHI? 
  • To whom was the information impermissibly disclosed? 
  • Was it returned before it could have been accessed for an improper purpose? 
  • What type of Unsecured PHI is involved and in what quantity? 
  • Was the disclosure made for any improper purpose? 
  • Is there the potential for significant risk of financial, reputational, or other harm to the individual whose PHI was disclosed?
  • Was immediate action taken to mitigate any potential harm?
  • Do any of the specific Privacy Breach exceptions apply?

Legal and executive staff shall determine any immediate or long term mitigations or remedial actions that need to be taken as a result of a Privacy Incident or Breach. In the event that mitigations or remedial actions are needed, executive staff shall direct personnel with respect to planning, communicating and executing those activities.


The Company complies with local jurisdictional privacy laws and investigations. The Company shall provide all documentation or assistance required by law in connection with privacy-related investigations, and shall not impede or obstruct these investigations.


Phase 3 – Communication and Notification


In the event that Caredove Inc.’s executive management and/or legal counsel determines that notice to an affected Health Information Custodian (HIC) is warranted, Caredove Inc.’s executive management and/or legal counsel or the designated representative shall promptly prepare and transmit a notice to the HIC.


Timing of Notification

Caredove Inc. shall notify the HIC “without unreasonable delay” but no later than 60 days after discovery and/or notification of the Privacy Breach, as required by law.


Delay of Notification

If it appears to the CPO, or their designated representative, that their investigation will not be completed within a reasonable time, executive management and/or legal counsel shall be informed to ensure that the HIC will be notified before completion of the investigation.


Law Enforcement Delay

A delay in notification is permissible if a law enforcement official states that a Privacy Breach notification would impede a criminal investigation or cause damage to national security 

  1. If a law enforcement request is received, the law enforcement statement must be in writing and must specify the length of the delay required.
  2. If the request for a delay in notification is oral, Caredove Inc. must document the statement and request written confirmation within 30 days. If no written request for a delay is received within that time, Caredove Inc. must send notification of the Privacy Breach to the HIC.


Content of Notification

Any notification to the HIC provided by Caredove Inc. shall include all information as required by law, but at a minimum, will contain the following content:

  • Identification of each individual whose PHI is believed to have been breached
  • The date of the Privacy Breach discovery
  • The date of disclosure
  • The facts and circumstances surrounding the disclosure
  • All associated documentation
  • All other available information known to Caredove Inc. that the HIC will be required to include in its own Notice to the individual(s).


‍Any additional information regarding the Privacy Breach that Caredove Inc discovers after the initial notice to the HIC shall be promptly provided to the HIC as required by law.


Any notice to the HIC shall be sent via first class mail with a return receipt requested and the return receipt as well as a copy of the HIC notice shall be kept with related documentation.


Logging and Document Retention


The Privacy Officer shall maintain a log of Privacy Incidents and Breaches, including the findings of, and the recommendations from investigations in accordance with Caredove's Documentation Policy, for a minimum of six years, or in accordance with established record retention requirements, whichever is greater.


Incident responders shall collect, store, and preserve incident-related evidence in accordance with industry guidance and best practices such as NIST SP 800-86 

Guide to Integrating Forensic Techniques into Incident Response

Jurisdictional Considerations

United States: In the US jurisdiction, Caredove complies with HIPAA laws and regulations


Canada: In the Canadian jurisdiction, Caredove complies with the following laws and regulations:

  • PIPEDA (Federal Privacy Legislation)
  • PHIPA (Ontario Health Privacy Legislation)


Caredove Privacy Officer
Tim Berezny, Chief Technology Officer, Caredove Inc.
PO Box 2307, Orillia, Ontario L3V 6S2
Tel: 705-717-6359
tim@caredove.com