PHIPA DECISION 255

In July 2022, the respondent Simcoe Muskoka District Health Unit (SMDHU) was the subject of an email phishing attack. As a result of the attack, a threat actor gained access to one SMDHU email account containing approximately 20,000 emails, including about 1,000 emails containing personal health information. SMDHU reports that the threat actor’s access to the compromised email account was limited to one hour, and that its forensic analysis found no evidence that the threat actor viewed, downloaded, copied, sent, forwarded, or removed any emails while in the compromised account.
The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like SMDHU to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. SMDHU asserts that there is no evidence to conclude, on a balance of probabilities, that any such privacy breach occurred, and on this basis takes the position that the duty to notify does not apply.
In this decision, the adjudicator concludes, on a balance of probabilities, that the threat actor’s undisturbed access to an SMDHU email account containing a considerable amount of personal health information resulted in both an unauthorized disclosure and an unauthorized use of personal health information. As a result, the duty to notify in section 12(2) applies. During the IPC review, SMDHU decided to send detailed letter notices to individuals whose personal health information may have been affected by the phishing attack. The adjudicator finds that through its direct notification of individuals during the review, SMDHU provided notice as required by section 12(2) of PHIPA, although it should have done so at the first reasonable opportunity. In the circumstances, she concludes the review without issuing an order.