Cases of Note

Featured cases

A doctor holding an iPad looking at medical data.

Ransomware reality: Case study in health care cybersecurity and recovery

Ransomware attacks are not an uncommon occurrence, especially in this era of rapidly advancing technologies. As these types of attacks become increasingly common, health information custodians (HICs) should ensure that they have strong preventative measures in place to help minimize and prevent the risks of cybersecurity attacks.

A digital illustration of a shield, with somebody's hand reaching toward it.

Ensuring health data privacy: Insights from the UTOPIAN case

Health information research plays a vital role in improving medical treatments and the quality of care. However, health researchers in Ontario, dealing with this sensitive personal health information, must ensure that they adhere to the requirements of the Personal Health Information Protection Act (PHIPA).

Cyberattack response: Duty to notify individuals under PHIPA and CYFSA

Public sector institutions face ever-escalating risks of cyberattacks. When dealing with a cyberattack, institutions must act quickly to address a breach and notify individuals whose personal information may have been affected. These cases highlight an organization’s duty to notify affected individuals in the event of a cyberattack under Ontario’s Personal Health Information Protection Act and Part X of the Child, Youth and Family Services Act.

Recent cases of note

Lost and found: Preserving abandoned health records

Health information custodians (HICs) have a duty under the Personal Health Information Protection Act (PHIPA) to protect and secure individuals’ records of personal health information. When HICs abandon or lose custody or control of this information or fail to reasonably safeguard it, they are in violation of Ontario’s health privacy law. Parties who are not HICs, but who come into possession of records of personal health information, may also find themselves responsible for preserving them as recipients of the information (section 49(1)).

Toronto District School Board Cyberattack: Recommendations for improved security

A social engineering attack at a TDSB high school led to the unauthorized access of personal information belonging to current and former students, parents and staff across several schools. The threat actor gained unauthorized access to the affected schools’ systems by obtaining the login credentials of a school’s Vice-Principal (VP) through a social engineering attack and obtaining the login credentials for their OneDrive account from a browser cache connected to the Vice-Principal. The breach resulted in several recommendations to the TDSB by the IPC that will assist in improving its security posture.

Toronto Public Library Cyberattack: Importance of reasonable security measures and notifying affected individuals under MFIPPA

A cyberattack on the Toronto Public Library exposed vulnerabilities in its systems that contained a significant number of individuals’ personal information. Read the closing letter to learn about how the case was settled at the Early Resolution Stage.

Respondus exam proctoring software: Privacy concerns and recommendations

The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a complaint about McMaster University’s (McMaster or the university) use of Respondus exam proctoring software under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act).

Hospital cyberattack: IPC decision highlights breach response and security improvements

A public hospital notified the office of the Information and Privacy Commissioner of Ontario (the IPC) of a breach under the Personal Health Information Protection Act (the Act), as there had been a cyberattack against the hospital. After the hospital self-reported the breach, the IPC opened a file relating to this breach, and subsequently received four complaints from affected individuals.

Cyberattack of a prescribed person: IPC report highlights breach response and details the indirect notice method used to reach affected individuals

A prescribed person under the Personal Health Information Protection Act reported a breach to the IPC regarding a cyberattack that involved the unauthorized copying of approximately 3.4 million individuals’ personal health information from the prescribed person’s secure file transfer server. The threat actors gained unauthorized access to the server by exploiting a zero-day vulnerability in the file transfer software, MOVEit, that was installed on this server.

Preventing health privacy breaches: Why training, policies, and confidentiality agreements matter

Health information custodians (HICs) have a duty under Ontario’s Personal Health Information Protection Act (PHIPA) to ensure that they protect the personal health information of their patients. This includes having policies regarding the use of patients’ personal health information for education purposes and ensuring compliance with such policies. This case highlights the central role of comprehensive privacy policies, annual privacy training, and confidentiality agreements, in preventing unauthorized access to personal health information.