PHIPA DECISION 249

A medical imaging clinic notified the Office of the Information and Privacy Commissioner of Ontario (the IPC) of a breach under the Personal Health Information Protection Act (the Act or PHIPA), following a ransomware attack against the clinic. The threat actor encrypted and exfiltrated files from the electronic medical records and file sharing servers and deleted the clinic’s backups. The clinic shut off the servers immediately, and these remained off while the clinic engaged in discussions with the threat actor. The threat actor provided the clinic with a file tree indicating which files they had exfiltrated, and the clinic ultimately decided to pay the ransom. The clinic was then able to decrypt all information on the affected servers and recover all files.
The clinic’s virtual private network kept logs of connections to its systems, but these logs had limited data storage. Because there was so much activity during the attack, the logs ran out of storage and the more recent data wrote over older events. The records from the earlier part of the attack were therefore lost before the clinic could review them. This limited the clinic’s investigation, though they did find that a dormant account belonging to a former internal application developer had been active during the attack. They concluded that this account, which had significant administrative privileges, was used by the threat actor to first gain access to the system and then move to other servers.
The clinic posted notices regarding the cyberattack within its physical locations and online. These notices listed the categories of information in the file tree. Later notices also acknowledged that patient medical records were stored in the affected servers, but that there were no signs that these records had been accessed. The clinic clarified to the IPC that its forensic experts examined all files for indications of access by the threat actor. The areas for which there was evidence of access correlated with what the threat actor had set out in its file tree.
The clinic revised its guidance to include improved password security, limitation on privileges granted to accounts, deletion of dormant accounts, and improved patch management. It put in place additional security measures, including replacement of the virtual private network with a newer model with enhanced storage to keep logs indefinitely, and extended detection and response capabilities. The clinic now always keeps one backup offline. In light of the steps taken by the clinic to remediate the situation, I have concluded that it is not necessary to pursue a review of this matter under Part VI of the Act.