Cybersecurity for Canadian Therapists: Breach Notification Under PIPEDA's Mandatory Reporting Rules

If you run a therapy practice in Canada, you are handling some of the most sensitive personal information imaginable: mental health diagnoses, session notes, trauma histories, family dynamics, and substance use records. A data breach involving this information doesn't just violate a regulation — it can cause profound harm to the people who trusted you with their most vulnerable moments.

Since November 1, 2018, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) has included mandatory breach notification requirements. These rules apply to every private-sector organization that collects, uses, or discloses personal information in the course of commercial activity — and that includes private therapy practices. If you experience a breach of security safeguards, you have legal obligations that go far beyond simply fixing the problem.

What Counts as a Breach Under PIPEDA

PIPEDA defines a "breach of security safeguards" as the loss of, unauthorized access to, or unauthorized disclosure of personal information. For therapy practices, this covers a wide range of scenarios:

• A stolen or lost laptop containing client records, session notes, or assessment results
• A phishing attack that compromises your practice email account, exposing client communications
• Ransomware that encrypts your practice management system and the client data within it
• An unauthorized employee accessing client files they have no clinical reason to view
• A misdirected email that sends one client's assessment to another client
• A compromised cloud account where your EHR, billing, or scheduling system is accessed by an attacker

Note that a breach doesn't require malicious intent. An honest mistake — like emailing a group therapy attendance list with all recipients visible in the "To" field — still qualifies as an unauthorized disclosure of personal information.

The "Real Risk of Significant Harm" Test

Not every breach triggers notification obligations. PIPEDA uses a "real risk of significant harm" (RROSH) threshold. You must assess whether the breach creates a real risk that affected individuals will experience significant harm as a result.

"Significant harm" under PIPEDA includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property. For therapy practices, the bar is almost always met. Mental health information is among the most sensitive categories of personal data. The Office of the Privacy Commissioner of Canada (OPC) has consistently recognized that breaches involving health information carry an inherently high risk of harm.

When assessing RROSH, you must consider two factors:

1. The sensitivity of the personal information involved. Client therapy records, diagnoses, session notes, and contact details are all highly sensitive. Even a client's name associated with your practice reveals they are receiving mental health services.
2. The probability that the information will be misused. Consider who accessed it, whether the data was encrypted, whether it has been recovered, and the breadth of the exposure.

In practice, if client health information is involved in a breach, you should assume the RROSH threshold is met unless you have strong evidence to the contrary.

Your Reporting Obligations

When a breach meets the RROSH threshold, PIPEDA requires three actions:

1. Report to the Office of the Privacy Commissioner

You must report the breach to the OPC as soon as feasible. The report must include a description of the circumstances of the breach, the day or period it occurred, the personal information involved, an assessment of the risk of harm, the number of individuals affected, and a description of what your organization has done or plans to do to reduce the risk and prevent future breaches. The OPC provides a Breach of Security Safeguards Report Form (PBSR) for this purpose.

2. Notify Affected Individuals

You must notify every individual whose personal information was involved, as soon as feasible. The notification must be conspicuous and delivered directly (email, letter, or phone call — not buried in a website update). It must include a description of the breach, the types of personal information involved, what your practice is doing to reduce risk, steps the individual can take to reduce their own risk, and contact information for someone at your practice who can answer questions.

3. Notify Other Organizations

If another organization or government institution could reduce the risk of harm — for example, law enforcement in the case of a criminal theft, or a payment processor if financial data was exposed — you must notify them as well.

The 24-Month Record-Keeping Requirement

Here's a requirement many therapists miss: PIPEDA mandates that you keep a record of every breach of security safeguards — not just those that trigger notification. You must maintain these records for at least 24 months. The OPC can request access to these records at any time.

This means even minor incidents (a momentary unauthorized access that was immediately revoked, a misdirected fax that was confirmed destroyed) must be documented. Your breach log should include the date of the breach, a description of what happened, the personal information involved, your risk assessment, and whether notification was triggered.

Penalties for Non-Compliance

Failing to report a breach, failing to notify affected individuals, or failing to maintain breach records is an offence under PIPEDA. Organizations that knowingly contravene these requirements can face fines of up to $100,000 per violation. Beyond financial penalties, the OPC can publicly name organizations that fail to comply, and affected individuals may pursue civil action for damages.

Provincial privacy legislation adds additional layers. In Ontario, therapy practices that are also regulated health professionals may face complaints to their regulatory college (CRPO, CPO, or OCSWSSW). Alberta and British Columbia have their own private-sector privacy statutes (PIPA) with similar breach notification requirements. Quebec's Law 25, fully in force since September 2024, imposes even stricter obligations including mandatory privacy impact assessments and a designated privacy officer.

Practical Prevention: Cybersecurity Steps for Your Practice

The best breach notification plan is one you never have to use. Here are the security measures every Canadian therapy practice should have in place:

Multi-Factor Authentication (MFA)

Enable MFA on every account that touches client data: your EHR (Jane, OWL, Janeapp), your email, your cloud storage, your billing system, and your video conferencing platform. MFA alone blocks over 99% of credential-based attacks according to Microsoft's security research. Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) rather than SMS codes, which can be intercepted through SIM-swapping attacks.

Encryption Everywhere

Ensure your devices use full-disk encryption (BitLocker on Windows, FileVault on Mac). This means if a laptop is stolen, the data on it is unreadable without the decryption key — which significantly changes your RROSH assessment. Use encrypted email for any client communications that contain personal health information. Standard Gmail or Outlook does not qualify; consider services like Hushmail for Healthcare or ensure your email infrastructure supports TLS encryption end-to-end.

Password Management

Use a password manager (1Password, Bitwarden, or Dashlane) for your practice. Every account should have a unique, randomly generated password of at least 16 characters. Shared practice accounts are a breach waiting to happen — each clinician and administrative staff member should have their own credentials with appropriate access levels.

Endpoint Security

Install reputable endpoint protection on every device used for practice work, including personal devices used for telehealth. Windows Defender (included with Windows 10 and 11) is now a capable solution when properly configured with cloud-delivered protection enabled. For Mac users, consider Malwarebytes or SentinelOne. Keep operating systems and all software updated — most successful attacks exploit known vulnerabilities that patches have already fixed.

Secure Backups

Maintain encrypted backups of your client data following the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored off-site (such as an encrypted cloud backup). Test your restoration process quarterly. Backups are your primary defence against ransomware — if you can restore from a clean backup, you eliminate the attacker's leverage entirely.

Staff Training

Human error remains the leading cause of data breaches. Train every person in your practice on phishing recognition, safe email habits, proper device handling, and your incident response procedure. Even a solo practitioner should have a written plan for what to do if they suspect a breach. Run through the scenario once a year so the steps are familiar when stress is high.

Building Your Breach Response Plan

Every Canadian therapy practice should have a documented breach response plan that covers:

1. Detection and containment: How will you identify a breach and stop it from getting worse? (Change passwords, isolate affected systems, revoke access.)
2. Assessment: Who determines whether the RROSH threshold is met? What factors will you consider?
3. Notification: Template letters for the OPC and for affected clients, pre-drafted so you can act quickly under pressure.
4. Remediation: What steps will you take to prevent recurrence?
5. Documentation: Your breach log template and where it's stored.

The OPC expects organizations to act "as soon as feasible." Having a plan in place before an incident occurs is the difference between a measured, compliant response and a panicked scramble that compounds the damage.

The Bottom Line

Canada's mandatory breach notification rules are not optional, and they are not abstract. They apply to your therapy practice today. The combination of highly sensitive health data, the emotional trust clients place in their therapist, and the real-world consequences of mental health information being exposed means that cybersecurity is not an IT problem — it is a clinical and ethical obligation.

Start with the basics: MFA on every account, encryption on every device, a password manager for every credential, and a written plan for when something goes wrong. These measures won't make you invulnerable, but they will dramatically reduce your risk and demonstrate the due diligence that both PIPEDA and your regulatory college expect.

If you're unsure where your practice stands, we can help you assess your current security posture and build a compliance-ready cybersecurity foundation. Reach out for a free consultation.