Privacy & Security Tips

October, 2025

Don't get spooked: beware the cyber ghouls this October

October is Cybersecurity Awareness Month, a timely reminder that one of the scariest things this Halloween may not be ghosts and goblins, but it may be in your inbox or your phone! In health care, we are seeing increasingly complex threats: phishing emails are becoming increasingly convincing, urging you to click on an email or attachment from a colleague or hospital. Attackers are also using impersonation "quishing" (QR-code phishing), where an image or email asks you to scan a QR code leading to a malicious site, or using phone-based "vishing" scams, spoofing official phone numbers, mimicking caller ID, and even using AI to trick targets into sharing sensitive information. Attackers are also targeting business associates and smaller vendors as a back door into larger health systems.

Personal health information is extremely valuable to cyber attackers. They know the stakes are high: when systems go down, critical data can be temporarily inaccessible or lost entirely. In recent months, healthcare organizations in Canada and beyond have seen major breaches and ransomware attacks which have impacted millions of patient records. Furthermore, a recent decision clarified that under PHIPA, even an unauthorized encryption still counts as a "use" of personal health information and must be reported to the Privacy Commissioner. This is another reminder that privacy duties apply not just to charts and conversations, but to digital security events.

To stay ahead of these ghouls:

• Always verify unexpected requests, especially where they are marked "urgent" or "critical"
• Think before you click and don't click on suspicious links or QR codes
• Enable multi-factor authentication
• Make sure your clinic's privacy breach protocol includes steps for dealing with cybersecurity events, and
• Promptly report any unusual messages to your IT or security personnel.