A public hospital notified the office of the Information and Privacy Commissioner of Ontario (the IPC) of a breach under the Personal Health Information Protection Act (the Act), as there had been a cyberattack against the hospital. After the hospital self-reported the breach, the IPC opened a file relating to this breach, and subsequently received four complaints from affected individuals. During the cyberattack, the threat actor accessed numerous hospital systems, via a password-spraying attack that compromised an account with privileged access. The hospital took immediate steps to disable the affected accounts and fix the firewall issue that had allowed for the access to occur. The hospital found that the threat actor had exfiltrated large amounts of information, but was not able to determine the exact data that had been taken. The hospital did determine the types of personal health information that may have been accessed, and estimated the number of patients who may have been affected. The hospital provided public notice of the breach, and has agreed to continue to monitor the dark web for two years for any activity relating to this breach.
The hospital provided the IPC with numerous guidelines in place addressing information security, all of which were revised following the cyberattack. These included guidance on strength of passwords, limitation on privileges granted to accounts, and firewall protections. The hospital also provided the IPC with a breach protocol specific to cybersecurity incidents, which was put in place following the incident. In light of the steps taken by the hospital to remediate the situation, including the guidance now in place, I have concluded that it is not necessary to pursue a review of this matter under Part VI of the Act.