Cases of Note

Featured cases

A doctor holding an iPad looking at medical data.

Ransomware reality: Case study in health care cybersecurity and recovery

Ransomware attacks are not an uncommon occurrence, especially in this era of rapidly advancing technologies. As these types of attacks become increasingly common, health information custodians (HICs) should ensure that they have strong preventative measures in place to help minimize and prevent the risks of cybersecurity attacks.

A digital illustration of a shield, with somebody's hand reaching toward it.

Ensuring health data privacy: Insights from the UTOPIAN case

Health information research plays a vital role in improving medical treatments and the quality of care. However, health researchers in Ontario, dealing with this sensitive personal health information, must ensure that they adhere to the requirements of the Personal Health Information Protection Act (PHIPA).

Cyberattack response: Duty to notify individuals under PHIPA and CYFSA

Public sector institutions face ever-escalating risks of cyberattacks. When dealing with a cyberattack, institutions must act quickly to address a breach and notify individuals whose personal information may have been affected. These cases highlight an organization’s duty to notify affected individuals in the event of a cyberattack under Ontario’s Personal Health Information Protection Act and Part X of the Child, Youth and Family Services Act.

Recent cases of note

Ensuring secure disposal of health records: Out of sight is not out of mind!

The Personal Health Information Protection Act (PHIPA) requires health information custodians (HICs) to protect personal health information (PHI) in their custody or control, including by ensuring secure methods of record disposal to prevent unauthorized access by others. PHIPA Decision 266 highlights the consequences of failing to meet these obligations and provides valuable lessons for all HICs on how to securely dispose of patient records.

Preventing health privacy breaches: Why training, policies, and confidentiality agreements matter

Health information custodians (HICs) have a duty under Ontario’s Personal Health Information Protection Act (PHIPA) to ensure that they protect the personal health information of their patients. This includes having policies regarding the use of patients’ personal health information for education purposes and ensuring compliance with such policies. This case highlights the central role of comprehensive privacy policies, annual privacy training, and confidentiality agreements, in preventing unauthorized access to personal health information.