The healthcare industry is under constant attack with data breaches prevalent throughout the sector. For example, in 2025, Ontario's privacy commissioner and Ontario Health investigated a reported data breach affecting Ontario Health atHome. The breach may have exposed 200,000 patient information. Recently, Canada’s Privacy Commissioner issued a call for stronger data protections in the industry.
Since healthcare organizations handle physical copies of patient records, identity documents, insurance records, and other health-related documents, they are targets for bad actors. To better safeguard patient’s personal information and help ensure provincial, territorial, and federal regulatory compliance, hospitals, health systems, and physician practices should have a comprehensive data security program, which includes secure document destruction, to tackle potential hazards.
Understanding Regulatory Requirements for Compliance
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to organizations that collects, uses, or discloses personal information during its commercial activities. If a province has adopted substantially similar privacy legislation, the federal government may exempt that organization and/or activities. To date, in matters relating to health care, Ontario, New Brunswick, and Newfoundland and Labrador, have promulgated legislation deemed substantially similar to the federal law.
Although the core activities of public hospitals or publicly funded long-term care facilities are not subject to PIPEDA. Health care providers in private practice such as doctors, dentists, and chiropractors are engaged in a commercial activity and thus subject to the Act, unless substantially similar provincial legislation applies.
Privacy laws are complex. Hospitals and healthcare providers must make sure they are familiar with applicable legislation.
What Information Is at Risk?
Hackers and social engineers are looking for key pieces of data that can be used to commit identity theft and other nefarious activities. When they target healthcare organizations to steal this data, they consequently gain access to personal identifiers, which link patients to their healthcare data, including:
- Patient name
- Date of birth
- Social Insurance Number
- Health plan number
- Medical information
- Financial data
Documents housing this information should be considered sensitive and secured appropriately to safeguard patient privacy.
How to Help Protect Data and Prevent Breaches
Adhering to privacy laws is vital for covered entities and business associates. By following these steps, organizations can better protect personal information and help prevent data breaches:
1. Don’t Underestimate the Risks of Paper
While hacking incidents targeting electronic information are a significant risk, paper-based data breaches still pose a potential threat. Due to the nature of the healthcare industry, it’s a safe bet that a majority of documents printed or otherwise generated during care contain personal information. Consequently, organizations must have policies and procedures that govern and support secure paper document handling, storage, disposal, and destruction.
An experienced shredding service like Shred-it® can provide document destruction at regularly scheduled intervals to ensure any confidential papers are securely destroyed. In addition, if an organization is going through a large-scale cleanout, such as when purging old paper-based medical records, a one-time, on-demand shredding is also a wise choice. To streamline both periodic and one-time shredding events, organizations may want to institute a shred-it-all policy that encourages staff to consider if there are any requirements to retain the document (in accordance with internal policy) and, if not, immediately and securely dispose of it. Unlike generic office shredders, a shredding service can handle a variety of formats, such as stand-alone documents, stapled and paper-clipped packets, x-rays, MRI recordings, and photographs.
2. Old Technology Presents Hazards
In addition to safely destroying paper, it is also important that any data housed on outdated or unused technology is irretrievable, including data from old computers and photocopiers, USB keys, and CD-ROM or DVD storage systems. One of the most effective methods for disposing of old hard drives is to have them physically destroyed using a professional hard drive and media destruction service*.
3. Staff Training Is Essential
To help ensure policies and procedures are effective, organizations should train staff on how to preserve information privacy and security, including their role in paper handling, storage, and disposal. Vigilance in ongoing training that is current, relevant, and intelligence-based is key to improving awareness of potential attacks and response times.
Learn more about data security destruction best practices and how Shred-it®’s secure document destruction can help keep personal information safe.
*Contact Shred-it® for service availability.
This article is for general information purposes only and should not be construed as legal advice on any specific facts or circumstances.
