Skip to content

Breach Response Plan

A documented procedure for responding to privacy breaches involving personal health information (PHI) processed by VitaraVox.

Scope

This plan covers breaches involving:

  • Patient demographic data (names, phone numbers, health card numbers)
  • Voice call recordings and transcripts
  • Appointment information
  • Clinic configuration data containing credentials
  • Any data classified as PHI under PIPEDA or PIPA

Definitions

Privacy Breach: The loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards (PIPEDA s.10.1).

Real Risk of Significant Harm (RROSH): Includes bodily harm, humiliation, damage to reputation, loss of employment, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

Breach Response Timeline

Discovery (T=0)
    ├── Immediate (0-4 hours)
    │   ├── Contain the breach
    │   ├── Notify internal escalation chain
    │   └── Begin documentation
    ├── Assessment (4-24 hours)
    │   ├── Determine scope and severity
    │   ├── Identify affected individuals
    │   └── Assess RROSH
    ├── Notification (24-72 hours)
    │   ├── Privacy Commissioner of Canada (if RROSH)
    │   ├── BC OIPC (if BC clinic affected)
    │   └── Affected individuals (if RROSH)
    └── Post-Incident (1-4 weeks)
        ├── Root cause analysis
        ├── Remediation implementation
        └── Policy/procedure updates

Step 1: Containment (0-4 Hours)

Immediate Actions

  1. Stop the breach — Revoke compromised credentials, disable affected accounts, block unauthorized access
  2. Preserve evidence — Do not delete logs, take screenshots, note timestamps
  3. Isolate affected systems — If malware suspected, isolate affected containers/services

Internal Notification

Notify the following within 1 hour of discovery:

Role Contact Responsibility
VitaraVox Operations Lead ops@vitaravox.ca Technical response coordination
Privacy Officer [Per clinic designation] Regulatory notification decisions
Clinic Manager [Per affected clinic] Patient communication

Documentation

Begin a breach incident record including:

  • Date and time of discovery
  • How the breach was discovered
  • Description of the breach
  • Systems and data affected
  • Containment actions taken
  • Personnel involved in response

Step 2: Assessment (4-24 Hours)

Scope Determination

Answer the following questions:

  1. What data was compromised?

    • Patient names, phone numbers, health card numbers?
    • Voice recordings or transcripts?
    • Credentials or API keys?
    • How many records affected?

  2. Who is affected?

    • Number of patients
    • Which clinics
    • Any staff accounts compromised?

  3. How did it happen?

    • Unauthorized access (external attack, insider)
    • Accidental disclosure (misconfiguration, email error)
    • Loss of device/media
    • Third-party processor breach (Vapi, OCI)

  4. Is there ongoing risk?

    • Has the vulnerability been patched?
    • Are compromised credentials rotated?
    • Could the attacker still have access?

RROSH Assessment

Evaluate whether there is a Real Risk of Significant Harm:

Factor Low Risk High Risk
Sensitivity Names, appointment dates Health card numbers, medical information
Number affected < 10 individuals > 100 individuals
Cause Accidental, quickly contained Deliberate, prolonged access
Mitigation Data encrypted, access limited Plaintext data, broad exposure
Potential for misuse Information not easily exploitable Identity theft, discrimination possible

If RROSH is determined → proceed to Step 3 (mandatory notification)

Step 3: Notification (24-72 Hours)

A. Privacy Commissioner of Canada

When: Within 72 hours if RROSH is determined (PIPEDA s.10.1)

How: Submit PIPEDA Breach Report Form

Include:

  • Description of the breach
  • Date or period of the breach
  • Description of personal information involved
  • Number of individuals affected (estimate if exact count unknown)
  • Steps taken to reduce risk of harm
  • Steps taken or planned to notify affected individuals
  • Contact information for privacy officer

Contact:

  • Office of the Privacy Commissioner of Canada (OPC)
  • Web: priv.gc.ca
  • Phone: 1-800-282-1376
  • Breach report form: Available on OPC website

B. BC Office of the Information and Privacy Commissioner (OIPC)

When: As soon as practicable if BC clinic affected (PIPA s.29.3)

How: Written notification to the Commissioner

Contact:

  • BC OIPC
  • Phone: 250-387-5629
  • Email: info@oipc.bc.ca

C. Affected Individuals

When: As soon as feasible after determining RROSH (PIPEDA s.10.1(2))

How: Direct notification (phone, email, or letter) — not social media or website-only

Include:

  • Description of the breach in plain language
  • What personal information was involved
  • Steps the individual can take to reduce risk (e.g., monitor credit, change passwords)
  • Contact information for VitaraVox privacy officer
  • Contact information for OPC and BC OIPC
  • What VitaraVox is doing to prevent future breaches

D. Third-Party Processors

If the breach originated at or affects a third-party processor:

Processor Contact Action
Vapi.ai [Per DPA contact] Notify of breach, request investigation, demand incident report
OCI (Oracle) [OCI support] File security incident, review access logs
Telnyx [Per agreement] Notify if telephony data compromised

Step 4: Post-Incident (1-4 Weeks)

Root Cause Analysis

  • Identify the root cause (technical, process, or human error)
  • Determine if existing controls failed or were absent
  • Document timeline of events
  • Identify systemic issues

Remediation

  • Implement fixes for the root cause
  • Update security controls as needed
  • Rotate all potentially compromised credentials
  • Review and update access permissions
  • Deploy additional monitoring if needed

Policy Updates

  • Update this breach response plan based on lessons learned
  • Review and update security policies
  • Conduct staff training if human error was a factor
  • Update third-party DPAs if processor obligations were insufficient

Record Keeping

Maintain breach records for minimum 24 months (PIPEDA s.10.3), including:

  • Date of breach
  • Description and scope
  • Risk assessment
  • Notification decisions and rationale
  • Notifications sent (copies)
  • Remediation actions taken

Breach Severity Classification

Level Description Example Response Time
Critical PHI exposed to unauthorized external parties Database breach, leaked health cards Immediate — all hands
High PHI accessible but no evidence of exfiltration Misconfigured access controls, exposed API 4 hours containment
Medium Non-PHI data exposed or internal unauthorized access Staff accessed wrong clinic data, credential exposure 24 hours assessment
Low Potential vulnerability identified, no data exposed Security scan finding, failed login attempts Standard remediation

Annual Review

This breach response plan must be reviewed annually by the Privacy Officer and Operations Lead to ensure:

  • Contact information is current
  • Procedures align with current legislation
  • Third-party processor agreements are up to date
  • Staff are trained on breach identification and reporting

Last Reviewed: February 2026 Next Review Due: February 2027