A cyberattack against a Saskatoon sports rehab clinic has raised questions about how private clinics in Saskatchewan should handle personal information.

Many citizens in Saskatchewan may not know if the personal health information entrusted to their health-care provider is protected by HIPA. - Ronald Kruzeniski, Saskatchewan Information and Privacy Commissioner

In October, Pro Sport Rehab and Fitness was targeted by a ransomware attack on its medical record database. The patient information in the database was encrypted and held for ransom by hackers.

As soon as the attack happened, the clinic's owners called the Saskatchewan Information and Privacy Commissioner to seek guidance.

In an investigation by the privacy commissioner, Pro Sport said names, addresses, phone numbers and health-care numbers were included in the database and affected by the cyberattack.

However, because the clinic is private, it isn't included in Saskatchewan's Health Information Protection Act (HIPA), despite the wishes of the privacy commissioner.

Exclusion of private clinics 'wrong': commissioner

"The fact that corporations that provide health services in Saskatchewan, such as Pro Sport, are not covered by the definition of trustee in HIPA is wrong," wrote commissioner Ronald Kruzeniski in his report.

"As a result, citizens do not have the same access and privacy rights and protections with respect to their personal health information."

The privacy commissioner said he had brought the issue up to the provincial government many times in the past, but private clinics remain outside of the privacy law.

"Many citizens in Saskatchewan may not know if the personal health information entrusted to their health-care provider is protected by HIPA," wrote Kruzeniski.

The privacy commissioner recommended that Pro Sport only collect heath-care numbers of clients where the care provided is paid for by the public system, and destroy all health services numbers in its database that aren't required.

It also recommended that the clinic tell all affected individuals about the ransomware breach, and that the company follow privacy best practices, including restricting personal devices from accessing the database.