Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
Health information research plays a vital role in improving medical treatments and the quality of care. To conduct health research, researchers require access to personal health information, the collection and use of which is regulated under health privacy laws. However, health researchers in Ontario, dealing with this sensitive personal health information, must ensure that they adhere to the requirements of the Personal Health Information Protection Act (PHIPA). These requirements exist to protect such health information, while also allowing important health research to take place.
Background
Established by the University of Toronto in 2013, UTOPIAN is described as a research database composed of de-identified records of patients extracted from electronic medical records (EMR) of contributing primary care physicians. The personal health information uploaded to UTOPIAN was collected from health information custodians under the PHIPA research provisions.
The university provided custodians with a Provider Agreement, which consisted of a multi-page letter describing the UTOPIAN project, followed by a custodian consent form. The Provider Agreement stated that only de-identified data extracted from the database would be provided to researchers to support primary care research in Ontario. The university, however, did not provide contributing custodians with a copy of the research plan, or the updated research plans following renewals and amendments to that plan. The university also did not provide to custodians a copy of the Research Ethics Board (REB) decision approving the research plan.
Initially, UTOPIAN’s research plan specified that it would not extract any direct patient identifiers. However, that changed in 2020, when the university significantly expanded the scope of the personal health information UTOPIAN collected to include patient identifiers such as patient names, addresses, phone numbers, emails and health card numbers. UTOPIAN also started collecting personal health information within the free text fields from the EMRs, as well as images and other picture-like documents from providers.
To notify custodians of the change, the university sent an amendment email and followed that up with another email two weeks later, using the “read receipt” function for both. However, the university did not provide an updated version of the Provider Agreement to be executed by custodians who had already executed an earlier version of it.
The university also acknowledged that there were two periods when REB approvals had lapsed during which the university continued to collect personal health information. While the university provided notice of the breach to the custodians for one of the periods, it did not do so for the other.
Complaint
In 2022, an anonymous complaint was made by a group of doctors alleging that the university obtained personal health information from health information custodians without patient consent, and without providing sufficient information to the custodians. The complainants also conveyed their concern about the database uploading personal health information that may be “intentionally taken, transferred, used, altered, stored, and sold.” Additionally, the complainants raised concerns about the adequacy of the de-identification process and the disclosure of potentially identifying information from the database to other parties.
Findings
The IPC investigator found that there was a failure to comply with the section 44 PHIPA obligations for research. Among other failings, the IPC found that the university failed to provide custodians with a research plan and the REB decision approving the plan. It was also found that the university collected personal health information without valid REB approval at times when the REB approval had lapsed, and failed to provide notice of one of these breaches.
The investigator was also not satisfied with the university’s claim that the Provider Agreement was effectively amended by sending the amendment emails about the 2020 changes. The investigator found that the university should have taken steps to ensure that custodians clearly, unambiguously and unequivocally communicated their acceptance of the proposed amendment to the Provider Agreement, instead of relying on silence.
Under section 44, PHIPA does not require consent by patients, however the university failed to ensure that custodians were providing patients with appropriate notice about the research which was one of the conditions of the research plan approved by the REB.
Finally, the investigator found no evidence to support the complainants’ allegations regarding the sale of personal health information, or their de-identification concerns.
Recommendations
The investigator made a number of recommendations and provided the university with a six-month time-frame to report back to the IPC regarding the implementation of these recommendations. Some of the recommendations included ensuring that the university has a valid research agreement in place with each custodian, and that any significant amendments be included in that research agreement and be explicitly agreed to.
The investigator also recommended that the university conduct a re-identification study to evaluate the robustness of its de-identification procedures. The investigator recommended that the university update its means of notifying patients about the UTOPIAN project and not rely solely on posters in doctors’ physical offices, particularly in a context of virtual care. Finally, the investigator recommended that the university exercise greater transparency with the contributing custodians and actively build up trust by having more open lines of communication with them.
Key Takeaways
This decision raised several important points regarding researchers’ obligations under PHIPA:
Researchers must ensure that they provide custodians with all required information under PHIPA so that custodians can make an informed decision about their participation in a health research project. This includes a copy of the research plan and the REB approval(s) of that plan.
When significant amendments are made to a health research plan, researchers should take steps to ensure custodians clearly and explicitly communicate their acceptance of the proposed amendments. For instance, in this case, copies of the revised Provider Agreement with the updated consent form could have been sent with the request that custodians execute these, by including a link in the email for the custodians to click to indicate acceptance, or similar means.
Researchers should reconsider their traditional methods of notifying patients about research (by way of posters in physicians’ physical offices) and reassess their effectiveness particularly in a context of virtual health care. For instance, a research plan could be varied in such a way as to propose an alternative and more effective form of notice where virtual care is more prevalent.
Researchers should be transparent and maintain open lines of communication with custodians about the collection and use of personal health information to build up their trust in the research.
Researchers should periodically reassess the robustness of their de-identification procedures to minimize re-identification risks that evolve over time with changes to the research plan and/or changes to the dynamic research environment. This can be done by way of a re-identification assessment in accordance with the best practices set out in the IPC’s De-identification Guidelines for Structured Data and ISO/IEC 27559:2022, including analysis of a specific dataset.
The bottom line is that personal health information is sensitive information that requires a high level of protection. While research is vitally important to improve the quality of health care and the effectiveness of the health system, custodians and the public want to be assured that their personal health information is being protected and that the researchers, who are collecting and using this information, are doing so in compliance with the law.
Health information research plays a vital role in improving medical treatments and the quality of care. To conduct health research, researchers require access to personal health information, the collection and use of which is regulated under health privacy laws. However, health researchers in Ontario, dealing with this sensitive personal health information, must ensure that they adhere to the requirements of the Personal Health Information Protection Act (PHIPA). These requirements exist to protect such health information, while also allowing important health research to take place.
Background
Established by the University of Toronto in 2013, UTOPIAN is described as a research database composed of de-identified records of patients extracted from electronic medical records (EMR) of contributing primary care physicians. The personal health information uploaded to UTOPIAN was collected from health information custodians under the PHIPA research provisions.
The university provided custodians with a Provider Agreement, which consisted of a multi-page letter describing the UTOPIAN project, followed by a custodian consent form. The Provider Agreement stated that only de-identified data extracted from the database would be provided to researchers to support primary care research in Ontario. The university, however, did not provide contributing custodians with a copy of the research plan, or the updated research plans following renewals and amendments to that plan. The university also did not provide to custodians a copy of the Research Ethics Board (REB) decision approving the research plan.
Initially, UTOPIAN’s research plan specified that it would not extract any direct patient identifiers. However, that changed in 2020, when the university significantly expanded the scope of the personal health information UTOPIAN collected to include patient identifiers such as patient names, addresses, phone numbers, emails and health card numbers. UTOPIAN also started collecting personal health information within the free text fields from the EMRs, as well as images and other picture-like documents from providers.
To notify custodians of the change, the university sent an amendment email and followed that up with another email two weeks later, using the “read receipt” function for both. However, the university did not provide an updated version of the Provider Agreement to be executed by custodians who had already executed an earlier version of it.
The university also acknowledged that there were two periods when REB approvals had lapsed during which the university continued to collect personal health information. While the university provided notice of the breach to the custodians for one of the periods, it did not do so for the other.
Complaint
In 2022, an anonymous complaint was made by a group of doctors alleging that the university obtained personal health information from health information custodians without patient consent, and without providing sufficient information to the custodians. The complainants also conveyed their concern about the database uploading personal health information that may be “intentionally taken, transferred, used, altered, stored, and sold.” Additionally, the complainants raised concerns about the adequacy of the de-identification process and the disclosure of potentially identifying information from the database to other parties.
Findings
The IPC investigator found that there was a failure to comply with the section 44 PHIPA obligations for research. Among other failings, the IPC found that the university failed to provide custodians with a research plan and the REB decision approving the plan. It was also found that the university collected personal health information without valid REB approval at times when the REB approval had lapsed, and failed to provide notice of one of these breaches.
The investigator was also not satisfied with the university’s claim that the Provider Agreement was effectively amended by sending the amendment emails about the 2020 changes. The investigator found that the university should have taken steps to ensure that custodians clearly, unambiguously and unequivocally communicated their acceptance of the proposed amendment to the Provider Agreement, instead of relying on silence.
Under section 44, PHIPA does not require consent by patients, however the university failed to ensure that custodians were providing patients with appropriate notice about the research which was one of the conditions of the research plan approved by the REB.
Finally, the investigator found no evidence to support the complainants’ allegations regarding the sale of personal health information, or their de-identification concerns.
Recommendations
The investigator made a number of recommendations and provided the university with a six-month time-frame to report back to the IPC regarding the implementation of these recommendations. Some of the recommendations included ensuring that the university has a valid research agreement in place with each custodian, and that any significant amendments be included in that research agreement and be explicitly agreed to.
The investigator also recommended that the university conduct a re-identification study to evaluate the robustness of its de-identification procedures. The investigator recommended that the university update its means of notifying patients about the UTOPIAN project and not rely solely on posters in doctors’ physical offices, particularly in a context of virtual care. Finally, the investigator recommended that the university exercise greater transparency with the contributing custodians and actively build up trust by having more open lines of communication with them.
Key Takeaways
This decision raised several important points regarding researchers’ obligations under PHIPA:
Researchers must ensure that they provide custodians with all required information under PHIPA so that custodians can make an informed decision about their participation in a health research project. This includes a copy of the research plan and the REB approval(s) of that plan.
When significant amendments are made to a health research plan, researchers should take steps to ensure custodians clearly and explicitly communicate their acceptance of the proposed amendments. For instance, in this case, copies of the revised Provider Agreement with the updated consent form could have been sent with the request that custodians execute these, by including a link in the email for the custodians to click to indicate acceptance, or similar means.
Researchers should reconsider their traditional methods of notifying patients about research (by way of posters in physicians’ physical offices) and reassess their effectiveness particularly in a context of virtual health care. For instance, a research plan could be varied in such a way as to propose an alternative and more effective form of notice where virtual care is more prevalent.
Researchers should be transparent and maintain open lines of communication with custodians about the collection and use of personal health information to build up their trust in the research.
Researchers should periodically reassess the robustness of their de-identification procedures to minimize re-identification risks that evolve over time with changes to the research plan and/or changes to the dynamic research environment. This can be done by way of a re-identification assessment in accordance with the best practices set out in the IPC’s De-identification Guidelines for Structured Data and ISO/IEC 27559:2022, including analysis of a specific dataset.
The bottom line is that personal health information is sensitive information that requires a high level of protection. While research is vitally important to improve the quality of health care and the effectiveness of the health system, custodians and the public want to be assured that their personal health information is being protected and that the researchers, who are collecting and using this information, are doing so in compliance with the law.
Unfortunately, ransomware attacks are not an uncommon occurrence, especially in this era of rapidly advancing technologies. Bad actors use ransomware attacks to extract money and cause harm to others. As these types of attacks become increasingly common, health information custodians (HICs) should ensure that they have strong preventative measures in place to help minimize and prevent the risks of cybersecurity attacks.
Background
Following detection of unusual activity on its systems in December 2022, a medical imaging clinic (the clinic) determined that it had been a victim of a ransomware attack. The clinic responded to the attack by immediately shutting off their servers and engaging breach counsel and a team of cybersecurity experts to assist with the containment, investigation, and remediation of the breach.
A week after the incident, the clinic notified the Office of the Information and Privacy Commissioner of Ontario (the IPC) that it was the victim of a ransomware attack. The clinic reported that affected files could have included up to 550,000 patient records and 1,600,000 case files.
The clinic’s experts determined that the threat actor (a known hacking group) likely gained entry into the system through a dormant account, which had significant administrative privileges. The threat actor encrypted and exfiltrated files from the electronic medical records and file sharing servers, deleted the backups and demanded ransom payment. In this case, the clinic was not able to restore its systems using the relevant backups and had to temporarily close.
The clinic paid the ransom, after which the clinic was able to decrypt the information on the affected servers and recover all affected files. The clinic provided notice to the public of the breach both online and within its clinics.
The clinic explained to the IPC that it had security measures in place before the incident. However, the high level of activity during the attack caused logs to be overwritten before they could be reviewed. This meant that the clinic could not determine exactly how the intrusion occurred, or what tactics were used to gain access to the account credentials.
Since the incident, the clinic has taken remediation measures to strengthen its security by implementing several policies and practices aimed at preventing similar situations occurring in the future. For example, the clinic revised its Least Privilege Access Policy to limit domain access privileges to only two administrative staff and provide users only the minimum access necessary for their roles. It now has password strength and complexity requirements, monitors for and deletes dormant accounts, and conducts regular checks to ensure security patches are kept current.
The clinic has also segregated its networks and put up firewalls as needed. In terms of back ups, the clinic now keeps at least one viable copy of its backup offline that will remain unaffected in the event of another cyberattack so that the clinic will be able to resume operations. The clinic has improved its detection and response measures. It now uploads its VPN and firewall logs daily and stores them so that it can better investigate future cyber incidents with these logs in place.
Findings
The IPC investigator determined that the clinic took sufficient efforts to determine the scope of the breach and provide the appropriate notice. The investigator found that the clinic responded adequately to the breach that occurred, especially considering the remediation steps that it took to address the matter. The investigator also determined that, as the clinic provided notice and put in place effective remedial measures, a review was not warranted.
Key Takeaways
This case serves to alert HICs of the importance of having strong security procedures in place as a preventative measure against cybersecurity attacks, such as:
giving privileged administrative access to only a very limited number of users
reducing system access to the minimum amount necessary for each role and ensuring access is terminated when users leave or change roles
monitoring for and deleting dormant accounts
strong password policies
anti-virus protection and spam filtering
appropriate firewalls around the network, with external VPN connection
multi-factor authentication
regular checks to ensure security patches are kept current
regular cybersecurity training to staff
access logs with sufficient memory that can promptly detect unauthorized access to systems and assist in diagnosing what happened, when and how
reliable backups in place, including at least one viable copy offline that remains unaffected in the event of a cyberattack so that the HICs are more readily able to resume operations
These are just some of the ways HICs can help prevent, or at least help mitigate, successful cybersecurity attacks. For more information on preventative measures HICs can take upfront, refer to IPC’s fact sheet on How to Protect Against Ransomware.
Once a breach has occurred it is imperative that the HICs take immediate action to contain the breach, including shutting off their servers, and engaging breach counsel and a team of cybersecurity experts. HICs should also consult the IPC guidance set out in Responding to a Health Privacy Breach: Guidelines for the Health Sector (the PHIPA Breach Guidelines) regarding appropriate steps to take once a breach has occurred.
Preventing a ransomware attack is no easy task. It takes time and resources. However, if proper and strong safety measures are put in place before an attack, then it is less likely that the threat actor will be successful. Taking measures to prevent a cyberattack is less costly than having to pay a ransom or rebuild a compromised system after the fact.
Letter to the Ministry of Health responding to the changes proposed under the PHIPA regulation mandating contribution of personal health information to the electronic health record, and reiterating the need to ensure that personal health information is protected in systems used to assist in providing health care.
Unfortunately, ransomware attacks are not an uncommon occurrence, especially in this era of rapidly advancing technologies. Bad actors use ransomware attacks to extract money and cause harm to others. As these types of attacks become increasingly common, health information custodians (HICs) should ensure that they have strong preventative measures in place to help minimize and prevent the risks of cybersecurity attacks.
Background
Following detection of unusual activity on its systems in December 2022, a medical imaging clinic (the clinic) determined that it had been a victim of a ransomware attack. The clinic responded to the attack by immediately shutting off their servers and engaging breach counsel and a team of cybersecurity experts to assist with the containment, investigation, and remediation of the breach.
A week after the incident, the clinic notified the Office of the Information and Privacy Commissioner of Ontario (the IPC) that it was the victim of a ransomware attack. The clinic reported that affected files could have included up to 550,000 patient records and 1,600,000 case files.
The clinic’s experts determined that the threat actor (a known hacking group) likely gained entry into the system through a dormant account, which had significant administrative privileges. The threat actor encrypted and exfiltrated files from the electronic medical records and file sharing servers, deleted the backups and demanded ransom payment. In this case, the clinic was not able to restore its systems using the relevant backups and had to temporarily close.
The clinic paid the ransom, after which the clinic was able to decrypt the information on the affected servers and recover all affected files. The clinic provided notice to the public of the breach both online and within its clinics.
The clinic explained to the IPC that it had security measures in place before the incident. However, the high level of activity during the attack caused logs to be overwritten before they could be reviewed. This meant that the clinic could not determine exactly how the intrusion occurred, or what tactics were used to gain access to the account credentials.
Since the incident, the clinic has taken remediation measures to strengthen its security by implementing several policies and practices aimed at preventing similar situations occurring in the future. For example, the clinic revised its Least Privilege Access Policy to limit domain access privileges to only two administrative staff and provide users only the minimum access necessary for their roles. It now has password strength and complexity requirements, monitors for and deletes dormant accounts, and conducts regular checks to ensure security patches are kept current.
The clinic has also segregated its networks and put up firewalls as needed. In terms of back ups, the clinic now keeps at least one viable copy of its backup offline that will remain unaffected in the event of another cyberattack so that the clinic will be able to resume operations. The clinic has improved its detection and response measures. It now uploads its VPN and firewall logs daily and stores them so that it can better investigate future cyber incidents with these logs in place.
Findings
The IPC investigator determined that the clinic took sufficient efforts to determine the scope of the breach and provide the appropriate notice. The investigator found that the clinic responded adequately to the breach that occurred, especially considering the remediation steps that it took to address the matter. The investigator also determined that, as the clinic provided notice and put in place effective remedial measures, a review was not warranted.
Key Takeaways
This case serves to alert HICs of the importance of having strong security procedures in place as a preventative measure against cybersecurity attacks, such as:
giving privileged administrative access to only a very limited number of users
reducing system access to the minimum amount necessary for each role and ensuring access is terminated when users leave or change roles
monitoring for and deleting dormant accounts
strong password policies
anti-virus protection and spam filtering
appropriate firewalls around the network, with external VPN connection
multi-factor authentication
regular checks to ensure security patches are kept current
regular cybersecurity training to staff
access logs with sufficient memory that can promptly detect unauthorized access to systems and assist in diagnosing what happened, when and how
reliable backups in place, including at least one viable copy offline that remains unaffected in the event of a cyberattack so that the HICs are more readily able to resume operations
These are just some of the ways HICs can help prevent, or at least help mitigate, successful cybersecurity attacks. For more information on preventative measures HICs can take upfront, refer to IPC’s fact sheet on How to Protect Against Ransomware.
Once a breach has occurred it is imperative that the HICs take immediate action to contain the breach, including shutting off their servers, and engaging breach counsel and a team of cybersecurity experts. HICs should also consult the IPC guidance set out in Responding to a Health Privacy Breach: Guidelines for the Health Sector (the PHIPA Breach Guidelines) regarding appropriate steps to take once a breach has occurred.
Preventing a ransomware attack is no easy task. It takes time and resources. However, if proper and strong safety measures are put in place before an attack, then it is less likely that the threat actor will be successful. Taking measures to prevent a cyberattack is less costly than having to pay a ransom or rebuild a compromised system after the fact.
The Office of the Information and Privacy Commissioner of Ontario (IPC) is committed to protecting personal health information using a flexible and balanced approach that addresses privacy violations while encouraging accountability, learning, and continuous improvement.
As of January 1, 2024, the IPC has the discretion to issue administrative monetary penalties (AMPs) as part of its enforcement powers for violations of the Personal HealthInformation Protection Act (PHIPA).
Penalties are up to a maximum of $50,000 for individuals and $500,000 for organizations. AMPs may be issued for the purposes of encouraging compliance with PHIPA or preventing a person from deriving — directly or indirectly — any economic benefit from contravening the law.
Learn more about the criteria for AMPs and how the IPC will determine penalty amounts in our guidance.
If you have additional questions about AMPs, email us at @email.
As of January 1, 2024, the IPC has the discretion to issue administrative monetary penalties as part of its enforcement powers for violations of the Personal Health Information Protection Act (PHIPA). Download the guidance document to learn more.
In this letter to Brian Riddell, Chair of the Standing Committee on Social Policy, the IPC makes recommendations in relation to proposed amendments to the Connecting Care Act, 2019.
Letter to Ministry of Health on support for and approach to proposed administrative penalties under PHIPA, highlighting their importance in enforcing healthcare privacy and access rights.
Document Updated: A change to PHIPA Practice Direction #3 took effect on October 10, 2023. Learn more
As of October 10, 2023, the IPC may publish PHIPA decisions at any stage of dispute resolution, including early resolution, investigation, and adjudication. This includes publishing the name of the respondent and affected person(s), unless doing so would identify the complainant or any person whose personal health information is at issue.
