Dernières décisions

In July 2022, the respondent Simcoe Muskoka District Health Unit (SMDHU) was the subject of an email phishing attack. As a result of the attack, a threat actor gained access to one SMDHU email account containing approximately 20,000 emails, including about 1,000 emails containing personal health information. SMDHU reports that the threat actor’s access to the compromised email account was limited to one hour, and that its forensic analysis found no evidence that the threat actor viewed, downloaded, copied, sent, forwarded, or removed any emails while in the compromised account.
The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like SMDHU to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. SMDHU asserts that there is no evidence to conclude, on a balance of probabilities, that any such privacy breach occurred, and on this basis takes the position that the duty to notify does not apply.
In this decision, the adjudicator concludes, on a balance of probabilities, that the threat actor’s undisturbed access to an SMDHU email account containing a considerable amount of personal health information resulted in both an unauthorized disclosure and an unauthorized use of personal health information. As a result, the duty to notify in section 12(2) applies. During the IPC review, SMDHU decided to send detailed letter notices to individuals whose personal health information may have been affected by the phishing attack. The adjudicator finds that through its direct notification of individuals during the review, SMDHU provided notice as required by section 12(2) of PHIPA, although it should have done so at the first reasonable opportunity. In the circumstances, she concludes the review without issuing an order.

In December 2022, the respondent the Hospital for Sick Children (the hospital) was the subject of a ransomware attack. The attack resulted in the encryption of numerous hospital servers, including those containing personal health information. However, the hospital’s investigation did not find evidence of any access to or exfiltration of personal health information by the threat actor, or of any impact to the hospital’s primary medical records system.

The IPC initiated a review of the matter under the Personal Health Information Protection Act, 2004 (PHIPA). Section 12(2) of PHIPA sets out a duty on health information custodians like the hospital to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or used or disclosed without authority. The hospital asserts that because the threat actor encrypted virtual servers at the “container” level, it did not “directly interact” with personal health information housed in the encrypted servers. The hospital takes the position that the attack did not result in a theft, loss, or unauthorized use or disclosure of personal health information within the meaning of section 12(2), and that the duty to notify does not apply.

In this decision, the adjudicator finds that the threat actor’s encryption of hospital servers at the container level affected the personal health information in those servers, by making that information unavailable and inaccessible to authorized users. The ransomware attack resulted in both an unauthorized use and a loss of personal health information within the meaning of section 12(2). As a result, the hospital had a duty under PHIPA to notify affected individuals “at the first reasonable opportunity” of the incident. In the immediate aftermath of the attack, and in the weeks following, the hospital posted updates on its website and on social media informing the public about the attack, and of the progress of its investigation and remediation efforts. While the hospital’s notice did not comply with section 12(2) because it did not include a statement about the right to complain to the IPC, the adjudicator finds no useful purpose in directing that notice of the right to complain be given now. She concludes the review without issuing an order.

This order determines whether the Toronto District School Board (the board) conducted a reasonable search for records responsive to a request made under the Act. In this order, the adjudicator finds that the board conducted a reasonable search for responsive records in accordance with its obligations under section 17 and dismisses the appeal.

The appellant requested records relating to criminal investigations he was involved in from the police. The police decided to grant access to some of the records, but withheld information pursuant to the personal privacy exemption in section 38(b). In this order, the adjudicator upholds the police’s decision and dismisses the appeal.

The city denied access to records relating to a trespass notice issued by it to the appellant. Responsive records were withheld pursuant to section 38(a) (discretion to refuse requester’s own information) read with law enforcement exemptions at section 8(1) of the Act. In this order, the adjudicator upholds the city’s decision to deny access to responsive records pursuant to section 38(a) read with section 8(1)(e) (endanger life or safety).

The complainant asserted that a doctor had not conducted a reasonable search for his medical records. The complainant relied on an affidavit of documents from an existing court proceeding between himself and the doctor to identify the allegedly missing records and to argue that they should exist.
In this decision, the adjudicator concludes that the existing court proceeding between the complainant and the doctor could more appropriately and completely address the complaint, since it concerns the affidavit of documents. The adjudicator concludes there are no reasonable grounds to conduct a review of the complaint and she exercises her discretion not to proceed with a review.

The City of Ottawa received a request under the Act for access to records relating to the successful bid response to a specified RFP for healthcare procurement services. The city granted partial access to the records, withholding portions pursuant to various exemptions. The requester appealed the city’s decision and claimed a public interest in the disclosure of the withheld information.
In this order, the adjudicator finds that the third party information exemption in section 10(1) of the Act applies to the remaining information at issue. She finds that the public interest override in section 16 does not apply. She upholds the city’s decision and dismisses the appeal.

The appellant submitted a request under the Act to the police for an audio/video statement made by her deceased brother to the police. The police denied the appellant access to the record, claiming the application of the personal privacy exemption. The appellant appealed the police’s decision, claiming the application of the compassionate grounds exception to the personal privacy exemption in section 14(4)(c) of the Act. In this decision, the adjudicator upholds the police’s decision, finding the record is exempt under the personal privacy exemption at section 38(b) and not subject to section 14(4)(c).

Asserting the correction rights in the Act, the mother of a child requested that the hospital make several corrections to her child’s medical record regarding a previous diagnosis and references to other matters regarding the child and his father. The hospital granted some corrections, but denied two corrections related to a specific diagnosis.

In this decision, the adjudicator finds that the references to the diagnosis are professional opinions or observations made in good faith by a hospital physician, and the section 55(9)(b) exception to the duty to correct therefore applies. He upholds the decision of the hospital and dismisses the complaint.

The complainant requested a copy of her entire file from the custodian. The complainant was dissatisfied with the completeness of the records she received and challenges the search for records. The adjudicator finds that the custodian has complied with her search obligations under PHIPA and dismisses the complaint.

This final order determines whether the Workplace Safety and Insurance Board (the WSIB) conducted a reasonable search for responsive records. In the first interim order PO-4402-I, the adjudicator ordered the WSIB to conduct a further search for responsive records. In the second interim order PO-4424-I, the adjudicator again ordered the WSIB to conduct a further search for responsive records. In this final order, the adjudicator finds that the WSIB has now conducted a reasonable search for responsive records and dismisses the appeal.

The appellant sought access from the Ministry of the Solicitor General (the ministry) to statements of certain individuals in police reports regarding a property damage dispute with his neighbour. The ministry denied access to the requested information, relying on the discretionary personal privacy exemption in section 49(b).

A medical imaging clinic notified the Office of the Information and Privacy Commissioner of Ontario (the IPC) of a breach under the Personal Health Information Protection Act (the Act or PHIPA), following a ransomware attack against the clinic. The threat actor encrypted and exfiltrated files from the electronic medical records and file sharing servers and deleted the clinic’s backups. The clinic shut off the servers immediately, and these remained off while the clinic engaged in discussions with the threat actor. The threat actor provided the clinic with a file tree indicating which files they had exfiltrated, and the clinic ultimately decided to pay the ransom. The clinic was then able to decrypt all information on the affected servers and recover all files.
The clinic’s virtual private network kept logs of connections to its systems, but these logs had limited data storage. Because there was so much activity during the attack, the logs ran out of storage and the more recent data wrote over older events. The records from the earlier part of the attack were therefore lost before the clinic could review them. This limited the clinic’s investigation, though they did find that a dormant account belonging to a former internal application developer had been active during the attack. They concluded that this account, which had significant administrative privileges, was used by the threat actor to first gain access to the system and then move to other servers.
The clinic posted notices regarding the cyberattack within its physical locations and online. These notices listed the categories of information in the file tree. Later notices also acknowledged that patient medical records were stored in the affected servers, but that there were no signs that these records had been accessed. The clinic clarified to the IPC that its forensic experts examined all files for indications of access by the threat actor. The areas for which there was evidence of access correlated with what the threat actor had set out in its file tree.
The clinic revised its guidance to include improved password security, limitation on privileges granted to accounts, deletion of dormant accounts, and improved patch management. It put in place additional security measures, including replacement of the virtual private network with a newer model with enhanced storage to keep logs indefinitely, and extended detection and response capabilities. The clinic now always keeps one backup offline. In light of the steps taken by the clinic to remediate the situation, I have concluded that it is not necessary to pursue a review of this matter under Part VI of the Act.

The complainant submitted a twelve-part correction request under the Act to a health information custodian for the correction of her personal health information within a psychotherapy consultation report. The custodian denied the request on the basis that it did not have a duty under section 55(8) of the Act to make the corrections. In this decision, the adjudicator upholds the custodian’s refusal to correct the report, finding that the exception to the duty to correct at section 55(9)(b) of the Act applies to the personal health information at issue. She dismisses the complaint.

The City of St. Thomas (the city) received a request under the Act for records related to by-law complaints about the appellant’s property. The city denied access to portions of a responsive by-law complaint form on the basis of the mandatory personal privacy exemption in section 14(1) of the Act.

In this order, the adjudicator upholds the city’s decision that the personal information in the complaint form is exempt by reason of section 14(1).