Cyberattack response: Duty to notify individuals under PHIPA and CYFSA

Background

The following decisions involved different cyberattacks against four different organizations. Three involved health information custodians (HICs) subject to the Personal Health Information Protection Act (PHIPA), and the fourth involved a Children’s Aid Society subject to Part X of the Child, Youth and Family Services Act (CYFSA). In all four cases, the organizations took the position that there was no duty to notify affected individuals because there was no evidence that personal health information or personal information was taken (or exfiltrated) from their systems. The Office of the Information and Privacy Commissioner (IPC) disagreed, finding that the loss, or unauthorized use or disclosure of personal (health) information triggered the duty to notify affected individuals even if the cyberattack did not result in the exfiltration of the information.

Findings 

In CYFSA Decision 19,1 the Halton Children’s Aid Society (CAS) was the subject of a ransomware attack in February of 2022 that resulted in the full encryption of some CAS systems. The encryption occurred at the container level and not at the level of individual file folders. The forensic investigation firm hired to examine the attack determined that the threat actor’s encryption of select servers “did not result in any access to or exfiltration of data” in the CAS’s servers.

The adjudicator found that the encryption of servers containing personal information resulted in the unauthorized use and loss of that information within the meaning of section 308(2) of the CYFSA. CAS had a duty to notify affected individuals “at the first reasonable opportunity.” However, the adjudicator determined that direct notice was not required in this case given relevant factors including evidence of diligent efforts by the CAS to contain and to remedy the effects of the cyberattack, and the passage of time. The adjudicator ordered the CAS to provide this notice through indirect public notice within 30 days of the date of the decision, either by posting a general website notice or some other form of indirect public notice.

In PHIPA Decision 253,2 the Hospital for Sick Children was the subject of a ransomware attack in December of 2022. The threat actor encrypted numerous hospital servers at the container level. Many of these servers contained some form of personal health information. The investigation found no evidence that any personal health information was accessed or taken. Immediately after the attack, and in the weeks following, the hospital posted updates on its website and on social media informing the public about the attack, and the progress of its investigation and remediation efforts.

The adjudicator determined that the ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2) of PHIPA. As a result, the hospital had a duty to notify under PHIPA, which they did. However, the adjudicator found that the hospital’s notice did not comply with section 12(2) of PHIPA because it did not include a statement about the right to file a complaint with the IPC. However, considering the sufficiency of the hospital’s responses, the overall circumstances, and the passage of time, the adjudicator found no useful purpose in directing that a revised notice be given. The adjudicator concluded the review without issuing an order.

In PHIPA Decision 254, Kingston, Frontenac and Lennox & Addington Public Health (KFL&A) was the subject of a ransomware attack in June of 2021. KFL&A confirmed that the threat actor encrypted more than 8,000 patient records on its servers. While the investigation found tools associated with exfiltration in some of the servers containing personal health information, it found no evidence the threat actor had taken information. Following payment of a ransom, KFL&A reported that “all important data was successfully decrypted.” At the time of the incident, KFL&A issued news releases informing the public about the attack, and of the progress of its recovery efforts. 

As in PHIPA Decision 253, the adjudicator found that the ransomware attack resulted in both an unauthorized use and loss of personal health information within the meaning of section 12(2) of PHIPA. As a result, KFL&A had a duty to notify under PHIPA. The adjudicator determined that KFL&A’s notice did not comply with section 12(2) of PHIPA because it should have included more details and a statement about the right to file a complaint with the IPC. However, given the sufficiency of KFL&A’s responses, the overall circumstances, and the passage of time, the adjudicator found no useful purpose in directing that further notice be given. The adjudicator concluded the review without issuing an order.

In PHIPA Decision 255, the Simcoe Muskoka District Health Unit (SMDHU) was the subject of an email phishing attack in July of 2022. The threat actor gained access to one SMDHU email account containing approximately 20,000 emails, including about 1,000 emails containing personal health information. SMDHU’s investigation determined that the threat actor had not sent or forwarded any emails from the compromised account. The forensic investigation also found that the threat actor had only one hour of access to the one compromised email account. During the IPC’s review, SMDHU proceeded to send detailed letters notifying individuals whose personal health information may have been affected by the breach.

The adjudicator concluded, on a balance of probabilities, that the threat actor’s access to an SMDHU email account resulted in both an unauthorized disclosure and use of personal health information. As a result, the duty to notify affected individuals under section 12(2) of PHIPA applied. Although SMDHU provided direct notification to individuals during the IPC review, the adjudicator found that SMDHU should have done so at the first reasonable opportunity. In the circumstances, the adjudicator concluded the review without issuing an order.

Key takeaways

Encryption of personal (health) information by threat actors that makes the information inaccessible or unavailable may constitute loss, or unauthorized use or disclosure of the information. This applies even without exfiltration of, or access to, individual files and triggers the duty to notify affected individuals.

  1. The act of encryption transforms personal (health) information by making it unavailable and inaccessible to authorized users of the information. Making the encrypted records unavailable to the HICs or service providers, to use, disclose, and otherwise handle for authorized purposes, is a kind of “handling” of or “dealing with” that information. In other words, it is a use of information within the meaning of PHIPA and CYFSA. 
  2. If information is made unavailable or inaccessible to authorized users because of unauthorized activity, then it is also a “loss” of information under section 12(2) of PHIPA and section 308(2) of CYFSA. A threat actor’s encryption of servers has the effect of denying authorized users access to personal (health) information that is required to provide services. In other words, there is a loss of information, even if it is just for a limited period.
  3. Successful recovery of information, after information has been made unavailable or inaccessible due to a ransomware attack, does not cancel out the duty to notify affected individuals under PHIPA section 12(2) and CYFSA section 308(2).  
  4. The duty to notify affected individuals can be met in different ways. When considering the appropriate form of notice, organizations should consider relevant circumstances, including, but not limited to:
  • The number of individuals potentially affected by the cyberattack.
  • The adequacy of the response to the cyberattack.
  • The volume and sensitivity of the affected information.
  • Evidence of any continuing privacy risks from the attack.

Cybercriminals sometimes lock down (encrypt) personal information and make it inaccessible to the institution, bringing its operations to a halt. Other times, they gain access to an institution’s servers and threaten to post sensitive personal information online. When dealing with a cyberattack, institutions must act quickly to contain and recover from any cybersecurity breach, and notify individuals whose personal information may have been affected by the breach.

Notes

  1. This decision is the subject of an ongoing judicial review and an appeal.
  2. This decision is subject to an ongoing judicial review.
Help us improve our website. Was this page helpful?
When information is not found

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.