Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
In this special retrospective episode of Info Matters, Commissioner, Patricia Kosseim revisits season four’s standout conversations. Highlights include junior high students' views on privacy, Cynthia Khoo on facial recognition, and Robert Fabes on how people experiencing homelessness perceive privacy. Dr. Devin Singh explores AI in health care, while Priya Shastri from WomanAct discusses information sharing in safety planning for survivors of intimate partner violence. The episode also covers the use of digital educational tools in the classroom, mediation in access appeals at the IPC, conversations about the IPC’s Transparency Showcase, and IPC health privacy cases involving cyber attacks and abandoned records.
A complaint was brought to the Information and Privacy Commissioner of Ontario (IPC) alleging that a health clinic had failed to securely dispose of records of personal health information (PHI). To support the allegations, photographs of patient records found discarded in an unsecured recycling bin were provided.
The IPC wrote to the clinic to inquire into the allegations. The clinic provided a report to the IPC which raised additional concerns and the IPC initiated an investigation into the matter.
The IPC investigator took custody of the records retrieved from the recycling bin. Despite many of the records being shredded or torn by hand, the investigator was able to recover some sensitive information. This included dates of patient visits, a self-reported health history, a patient’s date of birth, and six other complete patient names associated with the clinic.
During the investigation, the clinic explained that staff began disposing of records to make more space. Some records were shredded, others were hand torn to avoid noise from the shredding machine that might disturb patients during appointments. The discarded records were picked up by cleaners biweekly and placed in a dumpster in a locked garage area of the plaza where the clinic is located. From there, the garbage would be picked up weekly by the local garbage collector.
The clinic acknowledged that the cleaners would have had access to the insecurely destroyed material. It recognized that further steps should have been taken to ensure secure disposal of this information. The clinic also advised that it lacked written policies or procedures for record retention and secure record destruction or disposal. Instead, staff relied on verbal instructions, which the clinic admitted were insufficient.
The clinic notified affected patients of the breach by sending an initial notification letter to affected individuals. Subsequently, the clinic sent another notification letter to nearly 500 patients who may have also been affected.
Findings
The investigator found that at the time of the breach, the clinic was not in compliance with several sections of the Personal Health Information Protection Act (PHIPA). These include legal requirements for health information custodians to:
take reasonable safeguards to protect personal health information (s. 12(1)),
securely handle and dispose of records (s. 13(1)),
have proper information practices in place (s. 10(1)), and,
follow those practices (s. 10(2)).
The investigator concluded that the clinic’s lack of measures and safeguards resulted in its failure to ensure that records of PHI in its custody or under its control were retained and disposed of in a secure manner.
To address the investigator’s concerns, the clinic created and put in place policies and training. This included a new privacy policy to address how the clinic routinely collects, uses, modifies, discloses, retains or disposes of PHI. The clinic also created a client records policy outlining specific measures to be taken to safeguard and securely dispose of client records.
All staff were required to review the new policies and submit a written acknowledgement of their understanding and willingness to comply with them. Two training sessions were also held to familiarize staff with the updated privacy practices and the clinic committed to conducting biannual training going forward. The clinic also updated its employee handbook with additional resources related to its obligations under PHIPA, including a PHIPA training video and links to the entire statute and other resources.
The investigator concluded that these remedial steps brought the clinic into compliance with PHIPA.
Lastly, the investigator found that the unsecured disposal of PHI constituted a loss of PHI, triggering the obligation to notify all affected individuals. While the clinic did provide notice, the investigator found a deficiency with the initial notification letter (which was remedied) and found that notice should have been provided more quickly. However, overall, the investigator was satisfied that the clinic provided the notification required by section 12(2) of PHIPA.
Key takeaways
Health information custodians (HICs) must ensure that PHI of their patients is secure at all times, including during the record disposal process.
HICs must have privacy policies in place that address how they collect, use, modify, disclose, retain or dispose of PHI. These policies should specifically address measures to be taken to protect the security of patient records and the secure disposal of these records.
Procedures for secure record disposal depend in part on the storage media used. If dealing with paper, as in this case, records should not simply be torn by hand. They should be properly shredded using a cross-shred or micro-cut shredder to ensure that the records cannot later be reconstructed. This can be done on-site, or, if using an outside agency, a formally signed contract or agreement should be in place. The agreement should address the need to ensure security and confidentiality of records during the disposal process and indicate the specific disposal method to be used.
HICs should provide all staff with regular training on privacy policies and practices and the secure disposal of client records. Staff should receive training annually and be required to submit signed attestations acknowledging that they have read and understand the privacy policies.
HICs must notify affected individuals when personal health information in its custody or control is stolen or lost or used or disclosed without authority. Unsecured disposal of PHI constitutes a loss of PHI, triggering the obligation to notify affected individuals.
IPC comments on proposed amendments to Ontario Regulation 329/04 to support the transfer of the Critical Care Information System from Hamilton Health Sciences Corporation to Ornge, and to maintain the practices and procedures to ensure continued protection of personal health information during the transfer.
Schedule 6 of Bill 231, the More Convenient Care Act introduces a complex initiative to enable Ontarians' use of a digital health identity tool with the intent that Ontarians will use it to access their health records. It contains significant changes to Ontario’s health privacy law that put Ontarians' health privacy at risk and limits rather than enables their access rights.
The joint investigation report concerning the 2019 cyberattack on LifeLabs’ computer systems was completed in June 2020. The Ontario Court of Appeal recently dismissed LifeLabs’ bid to block public release of the report.
A public hospital was alerted to suspicious activity on a patient chart, and initiated an investigation, which included a targeted audit. The audit revealed that nearly 4,000 patient charts had been accessed by a physician without authorization, from a remote workstation outside of work hours. None of these patients were under the physician’s care.
The physician admitted to accessing the electronic health records for educational purposes. The physician thought accessing the electronic health records of patients remotely for this purpose was permitted. The hospital reported there was no evidence of inappropriate disclosure or unauthorized access after this issue was raised with the physician. In response to the breach, the physician had to undergo privacy training, which was completed in 2023 and 2024.
At the time of the breach, the hospital did not have a specific policy on the use of personal health information for education purposes. The hospital’s physicians, including the physician in question, were not provided privacy training or training on the use of personal health information for education purposes. The hospital advised that it did provide privacy training during onboarding and annually for its non-physician agents. However, the hospital discovered that only 50.4 per cent of its non-physician agents had completed the required privacy training in 2023.
The hospital’s policy required all agents, including physicians, to sign confidentiality agreements upon hire and on an annual basis. During the investigation, it was revealed that the physician signed a confidentiality agreement when hired, but not annually. The hospital explained that at the time of the breach, it had no formal process for the signing of confidentiality agreements and tracking the completion of this by its physicians. Similar to the lack of compliance with privacy training requirements, the hospital discovered that here too, only 50.4 per cent of its non-physician agents had signed a confidentiality agreement in 2023.
Findings
The hospital reported the breach to the Information and Privacy Commissioner of Ontario (IPC). The IPC investigator found that, at the time of the breach, the hospital was in violation of PHIPA due to:
its lack of privacy training for physicians
failure to ensure annual confidentiality agreements were signed by physicians
failure to ensure that non-physician agents also completed the required training and signed the annual confidentiality agreements
the absence of a policy or guidance about the use of personal health information for education purposes
The hospital addressed these deficiencies by putting in place an electronic credentialing system. A privacy officer was assigned to track the completion of initial, and annual, mandatory privacy training for all agents, including physicians.
The hospital also required the physician to re-sign a confidentiality agreement. Additionally, all physicians were required to re-sign their confidentiality agreements in 2024 through the online credentialing and tracking system. Similar to the tracking of privacy training, the signing of confidentiality agreements is included with privacy training, which is tracked by the privacy officer.
In addition, the hospital took steps to update and strengthen the content of its privacy policies and confidentiality agreements to provide clear direction for all agents, including physicians, on the use of personal health information for education purposes.
As a result of these efforts, 100 per cent of all physicians (including the physician involved in the breach) had completed their privacy training and signed their annual confidentiality agreements in 2024. Similarly, all full-time and part-time non-physician agents had also completed these requirements in 2024.
Given that the hospital took action to address the privacy issues identified, the investigator was satisfied that the hospital now had adequate measures in place to comply with sections 10 and 12(1) of PHIPA. The investigator concluded that a formal review under PHIPA was not necessary, and the matter was closed.
Key takeaways
Health information custodians (HICs) must provide privacy training for all agents, including physicians, upon hire and on an annual basis. This training must include guidance on the use of personal health information for education purposes, in accordance with the HICs’ policies. Such privacy training should be updated on a regular basis to provide all agents with clear and up-to-date guidance on authorized uses of personal health information.
HICs must have comprehensive privacy policies in place, including explicit reference to the use of personal health information for education purposes. These policies must also ensure that agents, including physicians, are given clear guidance on the expectations and requirements for privacy training and confidentiality agreements. In addition, the privacy policies should be reviewed on a regular basis to ensure they are up-to-date with current privacy laws and regulations.
HICs must ensure that all agents, including physicians, sign and renew confidentiality agreements on an annual basis, requiring acknowledgment that they have read and understood the agreement.
HICs should implement a tracking system to monitor compliance by ensuring that all agents, including physicians, have completed privacy training and signed confidentiality agreements, as required by their policies.
In her letter, Commissioner Kosseim recommends that the ministry reconsider its proposal to better facilitate Ontarians’ easy and meaningful access to their records in the provincial Electronic Health Record. The commissioner also recommends that the ministry carefully consider transparency and accountability of the proposed digital ecosystem to access those records.
A prescribed person under the Personal Health Information Protection Act reported a breach to the IPC regarding a cyberattack that involved the unauthorized copying of approximately 3.4 million individuals’ personal health information from the prescribed person’s secure file transfer server. The threat actors gained unauthorized access to the server by exploiting a zero-day vulnerability in the file transfer software, MOVEit, that was installed on this server.
The following decisions involved different cyberattacks against four different organizations. Three involved health information custodians (HICs) subject to the Personal Health Information Protection Act (PHIPA), and the fourth involved a Children’s Aid Society subject to Part X of the Child, Youth and Family Services Act (CYFSA). In all four cases, the organizations took the position that there was no duty to notify affected individuals because there was no evidence that personal health information or personal information was taken (or exfiltrated) from their systems. The Office of the Information and Privacy Commissioner (IPC) disagreed, finding that the loss, or unauthorized use or disclosure of personal (health) information triggered the duty to notify affected individuals even if the cyberattack did not result in the exfiltration of the information.
Findings
In CYFSA Decision 19,1 the Halton Children’s Aid Society (CAS) was the subject of a ransomware attack in February of 2022 that resulted in the full encryption of some CAS systems. The encryption occurred at the container level and not at the level of individual file folders. The forensic investigation firm hired to examine the attack determined that the threat actor’s encryption of select servers “did not result in any access to or exfiltration of data” in the CAS’s servers.
The adjudicator found that the encryption of servers containing personal information resulted in the unauthorized use and loss of that information within the meaning of section 308(2) of the CYFSA. CAS had a duty to notify affected individuals “at the first reasonable opportunity.” However, the adjudicator determined that direct notice was not required in this case given relevant factors including evidence of diligent efforts by the CAS to contain and to remedy the effects of the cyberattack, and the passage of time. The adjudicator ordered the CAS to provide this notice through indirect public notice within 30 days of the date of the decision, either by posting a general website notice or some other form of indirect public notice.
In PHIPA Decision 253,2 the Hospital for Sick Children was the subject of a ransomware attack in December of 2022. The threat actor encrypted numerous hospital servers at the container level. Many of these servers contained some form of personal health information. The investigation found no evidence that any personal health information was accessed or taken. Immediately after the attack, and in the weeks following, the hospital posted updates on its website and on social media informing the public about the attack, and the progress of its investigation and remediation efforts.
The adjudicator determined that the ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2) of PHIPA. As a result, the hospital had a duty to notify under PHIPA, which they did. However, the adjudicator found that the hospital’s notice did not comply with section 12(2) of PHIPA because it did not include a statement about the right to file a complaint with the IPC. However, considering the sufficiency of the hospital’s responses, the overall circumstances, and the passage of time, the adjudicator found no useful purpose in directing that a revised notice be given. The adjudicator concluded the review without issuing an order.
In PHIPA Decision 254, Kingston, Frontenac and Lennox & Addington Public Health (KFL&A) was the subject of a ransomware attack in June of 2021. KFL&A confirmed that the threat actor encrypted more than 8,000 patient records on its servers. While the investigation found tools associated with exfiltration in some of the servers containing personal health information, it found no evidence the threat actor had taken information. Following payment of a ransom, KFL&A reported that “all important data was successfully decrypted.” At the time of the incident, KFL&A issued news releases informing the public about the attack, and of the progress of its recovery efforts.
As in PHIPA Decision 253, the adjudicator found that the ransomware attack resulted in both an unauthorized use and loss of personal health information within the meaning of section 12(2) of PHIPA. As a result, KFL&A had a duty to notify under PHIPA. The adjudicator determined that KFL&A’s notice did not comply with section 12(2) of PHIPA because it should have included more details and a statement about the right to file a complaint with the IPC. However, given the sufficiency of KFL&A’s responses, the overall circumstances, and the passage of time, the adjudicator found no useful purpose in directing that further notice be given. The adjudicator concluded the review without issuing an order.
In PHIPA Decision 255, the Simcoe Muskoka District Health Unit (SMDHU) was the subject of an email phishing attack in July of 2022. The threat actor gained access to one SMDHU email account containing approximately 20,000 emails, including about 1,000 emails containing personal health information. SMDHU’s investigation determined that the threat actor had not sent or forwarded any emails from the compromised account. The forensic investigation also found that the threat actor had only one hour of access to the one compromised email account. During the IPC’s review, SMDHU proceeded to send detailed letters notifying individuals whose personal health information may have been affected by the breach.
The adjudicator concluded, on a balance of probabilities, that the threat actor’s access to an SMDHU email account resulted in both an unauthorized disclosure and use of personal health information. As a result, the duty to notify affected individuals under section 12(2) of PHIPA applied. Although SMDHU provided direct notification to individuals during the IPC review, the adjudicator found that SMDHU should have done so at the first reasonable opportunity. In the circumstances, the adjudicator concluded the review without issuing an order.
Key takeaways
Encryption of personal (health) information by threat actors that makes the information inaccessible or unavailable may constitute loss, or unauthorized use or disclosure of the information. This applies even without exfiltration of, or access to, individual files and triggers the duty to notify affected individuals.
The act of encryption transforms personal (health) information by making it unavailable and inaccessible to authorized users of the information. Making the encrypted records unavailable to the HICs or service providers, to use, disclose, and otherwise handle for authorized purposes, is a kind of “handling” of or “dealing with” that information. In other words, it is a use of information within the meaning of PHIPA and CYFSA.
If information is made unavailable or inaccessible to authorized users because of unauthorized activity, then it is also a “loss” of information under section 12(2) of PHIPA and section 308(2) of CYFSA. A threat actor’s encryption of servers has the effect of denying authorized users access to personal (health) information that is required to provide services. In other words, there is a loss of information, even if it is just for a limited period.
Successful recovery of information, after information has been made unavailable or inaccessible due to a ransomware attack, does not cancel out the duty to notify affected individuals under PHIPA section 12(2) and CYFSA section 308(2).
The duty to notify affected individuals can be met in different ways. When considering the appropriate form of notice, organizations should consider relevant circumstances, including, but not limited to:
The number of individuals potentially affected by the cyberattack.
The adequacy of the response to the cyberattack.
The volume and sensitivity of the affected information.
Evidence of any continuing privacy risks from the attack.
Cybercriminals sometimes lock down (encrypt) personal information and make it inaccessible to the institution, bringing its operations to a halt. Other times, they gain access to an institution’s servers and threaten to post sensitive personal information online. When dealing with a cyberattack, institutions must act quickly to contain and recover from any cybersecurity breach, and notify individuals whose personal information may have been affected by the breach.
Notes
This decision is the subject of an ongoing judicial review and an appeal.
This decision is subject to an ongoing judicial review.
The following decisions involved different cyberattacks against four different organizations. Three involved health information custodians (HICs) subject to the Personal Health Information Protection Act (PHIPA), and the fourth involved a Children’s Aid Society subject to Part X of the Child, Youth and Family Services Act (CYFSA). In all four cases, the organizations took the position that there was no duty to notify affected individuals because there was no evidence that personal health information or personal information was taken (or exfiltrated) from their systems. The Office of the Information and Privacy Commissioner (IPC) disagreed, finding that the loss, or unauthorized use or disclosure of personal (health) information triggered the duty to notify affected individuals even if the cyberattack did not result in the exfiltration of the information.
Findings
In CYFSA Decision 19,1 the Halton Children’s Aid Society (CAS) was the subject of a ransomware attack in February of 2022 that resulted in the full encryption of some CAS systems. The encryption occurred at the container level and not at the level of individual file folders. The forensic investigation firm hired to examine the attack determined that the threat actor’s encryption of select servers “did not result in any access to or exfiltration of data” in the CAS’s servers.
The adjudicator found that the encryption of servers containing personal information resulted in the unauthorized use and loss of that information within the meaning of section 308(2) of the CYFSA. CAS had a duty to notify affected individuals “at the first reasonable opportunity.” However, the adjudicator determined that direct notice was not required in this case given relevant factors including evidence of diligent efforts by the CAS to contain and to remedy the effects of the cyberattack, and the passage of time. The adjudicator ordered the CAS to provide this notice through indirect public notice within 30 days of the date of the decision, either by posting a general website notice or some other form of indirect public notice.
In PHIPA Decision 253,2 the Hospital for Sick Children was the subject of a ransomware attack in December of 2022. The threat actor encrypted numerous hospital servers at the container level. Many of these servers contained some form of personal health information. The investigation found no evidence that any personal health information was accessed or taken. Immediately after the attack, and in the weeks following, the hospital posted updates on its website and on social media informing the public about the attack, and the progress of its investigation and remediation efforts.
The adjudicator determined that the ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2) of PHIPA. As a result, the hospital had a duty to notify under PHIPA, which they did. However, the adjudicator found that the hospital’s notice did not comply with section 12(2) of PHIPA because it did not include a statement about the right to file a complaint with the IPC. However, considering the sufficiency of the hospital’s responses, the overall circumstances, and the passage of time, the adjudicator found no useful purpose in directing that a revised notice be given. The adjudicator concluded the review without issuing an order.
In PHIPA Decision 254, Kingston, Frontenac and Lennox & Addington Public Health (KFL&A) was the subject of a ransomware attack in June of 2021. KFL&A confirmed that the threat actor encrypted more than 8,000 patient records on its servers. While the investigation found tools associated with exfiltration in some of the servers containing personal health information, it found no evidence the threat actor had taken information. Following payment of a ransom, KFL&A reported that “all important data was successfully decrypted.” At the time of the incident, KFL&A issued news releases informing the public about the attack, and of the progress of its recovery efforts.
As in PHIPA Decision 253, the adjudicator found that the ransomware attack resulted in both an unauthorized use and loss of personal health information within the meaning of section 12(2) of PHIPA. As a result, KFL&A had a duty to notify under PHIPA. The adjudicator determined that KFL&A’s notice did not comply with section 12(2) of PHIPA because it should have included more details and a statement about the right to file a complaint with the IPC. However, given the sufficiency of KFL&A’s responses, the overall circumstances, and the passage of time, the adjudicator found no useful purpose in directing that further notice be given. The adjudicator concluded the review without issuing an order.
In PHIPA Decision 255, the Simcoe Muskoka District Health Unit (SMDHU) was the subject of an email phishing attack in July of 2022. The threat actor gained access to one SMDHU email account containing approximately 20,000 emails, including about 1,000 emails containing personal health information. SMDHU’s investigation determined that the threat actor had not sent or forwarded any emails from the compromised account. The forensic investigation also found that the threat actor had only one hour of access to the one compromised email account. During the IPC’s review, SMDHU proceeded to send detailed letters notifying individuals whose personal health information may have been affected by the breach.
The adjudicator concluded, on a balance of probabilities, that the threat actor’s access to an SMDHU email account resulted in both an unauthorized disclosure and use of personal health information. As a result, the duty to notify affected individuals under section 12(2) of PHIPA applied. Although SMDHU provided direct notification to individuals during the IPC review, the adjudicator found that SMDHU should have done so at the first reasonable opportunity. In the circumstances, the adjudicator concluded the review without issuing an order.
Key takeaways
Encryption of personal (health) information by threat actors that makes the information inaccessible or unavailable may constitute loss, or unauthorized use or disclosure of the information. This applies even without exfiltration of, or access to, individual files and triggers the duty to notify affected individuals.
The act of encryption transforms personal (health) information by making it unavailable and inaccessible to authorized users of the information. Making the encrypted records unavailable to the HICs or service providers, to use, disclose, and otherwise handle for authorized purposes, is a kind of “handling” of or “dealing with” that information. In other words, it is a use of information within the meaning of PHIPA and CYFSA.
If information is made unavailable or inaccessible to authorized users because of unauthorized activity, then it is also a “loss” of information under section 12(2) of PHIPA and section 308(2) of CYFSA. A threat actor’s encryption of servers has the effect of denying authorized users access to personal (health) information that is required to provide services. In other words, there is a loss of information, even if it is just for a limited period.
Successful recovery of information, after information has been made unavailable or inaccessible due to a ransomware attack, does not cancel out the duty to notify affected individuals under PHIPA section 12(2) and CYFSA section 308(2).
The duty to notify affected individuals can be met in different ways. When considering the appropriate form of notice, organizations should consider relevant circumstances, including, but not limited to:
The number of individuals potentially affected by the cyberattack.
The adequacy of the response to the cyberattack.
The volume and sensitivity of the affected information.
Evidence of any continuing privacy risks from the attack.
Cybercriminals sometimes lock down (encrypt) personal information and make it inaccessible to the institution, bringing its operations to a halt. Other times, they gain access to an institution’s servers and threaten to post sensitive personal information online. When dealing with a cyberattack, institutions must act quickly to contain and recover from any cybersecurity breach, and notify individuals whose personal information may have been affected by the breach.
Notes
This decision is the subject of an ongoing judicial review and an appeal.
This decision is subject to an ongoing judicial review.
