PHIPA DECISION 254

In June 2021, the respondent Kingston, Frontenac and Lennox & Addington Public Health (KFL&A) was the subject of a ransomware attack. The attack resulted in the encryption of multiple KFL&A servers, including those containing personal health information.
The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like KFL&A to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. KFL&A takes the position that the threat actor’s encryption of servers containing personal health information, without evidence of any access to or exfiltration of that information, does not qualify as a theft, loss, or unauthorized use or disclosure of personal health information within the meaning of section 12(2), and that the duty to notify does not apply.
In this decision, the adjudicator finds that the threat actor’s encryption of KFL&A servers affected the personal health information in those servers, by making that information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2). As a result, KFL&A had a duty under PHIPA to notify affected individuals “at the first reasonable opportunity.” At the time of the incident, KFL&A issued media releases informing the public about the attack, and of the progress of its recovery efforts. While KFL&A’s notice did not comply with section 12(2) because it did not include a statement about the right to complain to the IPC, and ought to have included more detail for the benefit of affected individuals, the adjudicator finds no useful purpose in directing that further notice be given now. She concludes the review without issuing an order.