Investigation Report: FIPPA & PHIA Privacy Breach – Manitoba Families
investigations & monitoring
fippa
Summary
Manitoba Families submitted a privacy breach report to our office after its service provider experienced a cybersecurity incident that resulted in unauthorized access to personal information and personal health information belonging to 1,361 Manitoba residents .
The affected individuals received service from the Community Living disABILITY Services program of Families, through a community-based service provider funded and contracted by Families under a service purchase agreement.
Our office investigated the circumstances of the incident, the service provider’s response, and Families’ obligations as a trustee under The Personal Health Information Act (PHIA) and as a public body under The Freedom of Information and Protection of Privacy Act (FIPPA) with respect to the protection of personal information and personal health information held by the service provider on its behalf.
Our office found that Families did not have service provider management policies, security control guidelines, or an active audit program in place to oversee the Service Provider’s privacy practices, including cybersecurity.
Our office issued five recommendations to Families to address these gaps, and requested that Families provides an implementation plan within 60 days of its acceptance. Families responded to our report and recommendations on May 25, 2026. It accepted the recommendations and stated that it would provide the implementation plan within 60 days of its acceptance.
Read the full report found below for more information.
Please note that anyone receiving services who may have been affected by this breach would have been notified directly by the service provider at the time of the breach.
MO-09540