|
Internet - Ransomware. Hospital for Sick Children v. Ontario (Information and Privacy Commissioner) [ransomware]
In Hospital for Sick Children v. Ontario (Information and Privacy Commissioner) (Ont Div Ct, 2025) the Ontario Divisional Court dismissed a FIPPA JR, this against a "decision of the respondent Information and Privacy Commissioner of Ontario" (IPC) where "the IPC found that privacy breaches had occurred, and that the Applicants had failed to comply with the requirement to notify affected individuals".
Here the court notes the outcome of the appeal/JR case, and illustrates the IPC's ruling treatment of it (which was upheld in the result):[3] At issue before the IPC was alleged non-compliance with Ontario privacy legislation. Under that legislation, the Applicants are required to notify individuals, at the first reasonable opportunity, of the theft, loss, or unauthorized use of their personal information that is in the Applicants’ possession or control. The notification is required to include a statement about the individuals’ entitlement to make a complaint to the IPC about the privacy breach.
[4] Following separate cybersecurity incidents (known as “ransomware” attacks), the Applicants were temporarily unable to access individuals’ personal information on the Applicants’ servers. After investigation, the Applicants concluded that the perpetrators were not able to view, access or exfiltrate any of the data. Both Applicants notified the IPC of the ransomware attacks but took the position that the requirement to notify affected individuals had not been engaged. SickKids (but not Halton) publicly disclosed the attack, without referring to the entitlement to complain to the IPC.
[5] In the Decisions, the IPC found that privacy breaches had occurred, and that the Applicants had failed to comply with the requirement to notify affected individuals. In the Halton Decision, the IPC ordered Halton to provide the required notice by posting a notice on its website or issuing a public release. In the SickKids Decision, the IPC did not issue a remedial order. The adjudicator found no useful purpose in doing so, given SickKids previous public disclosure.
....
E. The Decisions
[28] The IPC adjudicated and issued both the SickKids Decision and the Halton Decision on July 5, 2024. In each case, for substantially similar reasons, the IPC found that ransomware attack resulted in both an unauthorized “use” and a “loss” of personal information within the meaning of the applicable legislation. Therefore, the IPC concluded that the Applicants were required to notify affected individuals of the attacks “at the first reasonable opportunity”: see PHIPA, s. 12(2); CYFSA, s. 308(2).
[29] On the same day as the Decisions, the IPC issued two other decisions that stemmed from cyberattacks on health information custodians subject to PHIPA: Kingston, Frontenac and Lennox & Addington (KFL&A) Public Health (Re), 2024 CanLII 67096 (ON IPC); Simcoe Muskoka District Health Unit (Re), 2024 CanLII 67094 (ON IPC). In each decision, the IPC found that cyberattack resulted in both an unauthorized “use” and a “loss” of personal information within the meaning of s. 12(2) of PHIPA. These decisions (like the Decisions being considered by this panel) each included the same statement under the heading “Overview” (in each case at para. 2):As these decisions illustrate, a cyberattack on an organization’s information systems may trigger the duty to notify whether or not the attacker takes further malicious action (like using stolen identity information, or demanding a ransom) with the affected information. i. Unauthorized use of information
[30] In the SickKids Decision, at paras. 39-43, the IPC provided the following justification for its finding that the ransomware attack result in an unauthorized “use” of personal health information within the meaning of s. 12(2) of PHIPA:39. I accept the hospital’s evidence that the threat actor’s encryption of hospital servers occurred at the container level, rather than at the level of individual files of personal health information housed within those severs. For the purposes of this decision, I am also prepared to accept the hospital’s evidence that the threat actor did not view or access any individual files of personal health information housed within the hospital’s environment that the threat actor infiltrated. However, the question remains whether the personal health information in the affected servers was “handled” or “otherwise dealt with,” and thus “used” within the meaning of PHIPA. I find that the personal health information was used in this way.
40. This is because I do not accept the hospital’s assertion that the threat actor’s locking (by encryption) of external containers housing personal health information has no effect on that information. Instead, it is my view that the transformation (by encryption) of external containers also transforms the personal health information housed within those containers—at a minimum, by making that personal health information unavailable and inaccessible to authorized users of that information. The effect of making unavailable to the hospital the personal health information held within the encrypted containers is, I find, a kind of “handling” of or “dealing with” that information, and thus a use within the meaning of PHIPA.
41. The hospital argues that to the extent any personal health information was inaccessible during the ransomware attack, backups of that information were readily available. But the restoration of personal health information from backups does not negate the fact that something happened to the personal health information inside the encrypted containers, giving rise to the need to restore that information. The availability of backups to restore the affected personal health information does not preclude a finding of use.
42. I also note that this use of personal health information occurs whether or not the threat actor actually views or accesses specific files of personal health information held within the affected containers, or exfiltrates that information outside the hospital’s environment. It is my finding that the act of encrypting containers housing personal health information is, by itself, a use of that information within the meaning of PHIPA.
43. There is no claim that this use occurred with the appropriate consent, or was permitted or required to be done without consent under PHIPA. In these circumstances, the threat actor’s encryption of hospital servers was an unauthorized use of personal health information within the meaning of section 12(2). [31] In the Halton Decision, at paras. 52-55, the IPC provided substantially similar reasoning for finding that the Halton ransomware attack resulted in an unauthorized use of personal information within the meaning of s. 308(2) of the CYFSA.
ii. Loss of information
[32] In the SickKids Decision, at paras. 47-53, the IPC provided the following justification for its finding that the ransomware attack result in the “loss” of the personal health information within the meaning of s. 12(2) of PHIPA:47. The hospital submits that a finding of loss in this case would not be supported by the case law and would not reflect the mechanics of the encryption that occurred. The hospital says that previous IPC decisions that found a loss of personal health information involved situations where that information was destroyed or misplaced—where the losses were crystallized and, to a degree, permanent. By contrast, the hospital says, the ransomware attack at issue here did not result in a permanent lack of access to the affected servers or to the personal health information contained in them, since backups of the servers were not affected by the attack and were available to support the hospital’s clinical functions. In these circumstances, the hospital says, there was no “loss” of personal health information.
48. A robust backup policy is an important component of an organization’s information security practices. In this case, the hospital had in place policies and practices that enabled it to quickly restore its information systems and resume its clinical functions. The hospital’s information practices were key to its ability to quickly recover from the cyberattack.
49. However, the restoration of affected systems from backups does not negate the fact that, for some period of time, personal health information in the custody or control of the hospital was made inaccessible to it as a result of the threat actor’s attack on its information systems. Specifically, the ransomware encryption attack had the effect of denying authorized users (i.e., the hospital) access to personal health information that it required to provide services. As the hospital publicly reported, the consequences of this loss of availability included delays retrieving lab and imaging results, and some resulting diagnostic and treatment delays.
50. The distinction drawn by the hospital between encryption occurring at the file level and encryption occurring at the container level makes no practical difference to my finding. In either case, the effect on an individual’s personal health information is the same: that information is made unavailable to the authorized user of that information because of an unauthorized activity. I find this is a “loss” of that information within the meaning of section 12(2) of PHIPA, and the duty to notify is thus also triggered for this reason.
51. In defining loss in this way, I distinguish this situation from other routine or non-routine disruptions in a custodian’s ability to access or otherwise use personal health information in its custody or control for authorized purposes. For example, a scheduled software or hardware maintenance operation or an unexpected power outage may also disrupt, for a temporary period, a custodian’s ability to access personal health information in its custody or control for authorized purposes. An overly broad interpretation of the terms “lost” and “loss” in section 12(2) could require the notification of individuals in situations like these, which would not in my view serve the purpose of the duty to notify. Further, it is not difficult to imagine how an overly broad interpretation of loss could lead to notification fatigue on the part of the public, disproportionate costs to the custodian, and other unintended and undesirable consequences.
52. Instead, I adopt a purposive definition of these terms in section 12(2) that, in the context of a ransomware attack, contemplates notice to affected individuals where there has been an unauthorized action in respect of their personal health information. It is consistent with the purposes of section 12(2) that individuals be notified of a third party’s malicious action done with the intention of, and having the effect of, denying a custodian access to those individuals’ personal health information in the custodian’s custody or control.
53. The purpose of the duty to notify in these circumstances is to inform individuals about the unauthorized action involving information that, in a fundamental sense, belongs to them. These individuals should be made aware if the custodian is not able to access their personal health information as a result of unauthorized activity, and of the risks associated with that activity. It is also consistent with a purposive reading of this section not to require notification in a situation like routine maintenance or a power outage, which may disrupt a custodian’s ability to access personal health information, but which is not the result of unauthorized activity and is not likely to increase the risk of unauthorized activity. The latter situations generally would not qualify as a loss under section 12(2). The different outcomes in these different scenarios are in keeping with the purposes of the duty to notify in PHIPA.
[Footnotes omitted.] [33] In the Halton Decision, at paras. 58-64, the IPC provided substantially similar reasoning for finding that the ransomware attack resulted in the loss of personal information within the meaning of s. 308(2) of the CYFSA.
iii. Remedy
[34] In the SickKids Decision, the IPC noted that SickKids made appropriate public disclosure of the SickKids attack in its aftermath. However, the IPC found that the notice did not comply with s. 12(2) of PHIPA because it did not include a statement about the right to complain to the IPC. The IPC also decided that there was no useful purpose in directing SickKids to provide notice of the right to complain at that time. Therefore, the IPC concluded its review without issuing a remedial order.
[35] In the Halton Decision, in the absence of prior public disclosure of the Halton attack, the IPC decided to make a remedial order as a result of Halton’s noncompliance with the notification requirement in s. 308(2) of the CYFSA. As set out in the Summary of the Halton Decision, the IPC found:After taking into account relevant circumstances, including the evidence of diligent efforts by the [Halton] CAS to contain and to mitigate the risks of the privacy breach, the adjudicator finds that the notice requirement can be met in this case through the posting of a general notice on the CAS’s website, or another form of indirect public notice. The adjudicator orders the CAS to provide this notice within 30 days of the date of this decision. [36] In deciding the notice on Halton’s website or other form of indirect notice was sufficient, the IPC considered and rejected requiring Halton to provide direct notice to individuals, stating that it was satisfied that a flexible approach to notification is appropriate in the circumstances: Halton Decision, at para. 75. . Hospital for Sick Children v. Ontario (Information and Privacy Commissioner)
In Hospital for Sick Children v. Ontario (Information and Privacy Commissioner) (Ont Div Ct, 2025) the Ontario Divisional Court dismissed a joint appeal/JR, this against a "decision of the respondent Information and Privacy Commissioner of Ontario" (IPC) where "the IPC found that privacy breaches had occurred, and that the Applicants had failed to comply with the requirement to notify affected individuals".
The court illustrates a ransomware attack on public bodies (here, a hospital and a CAS), and it's interaction with PHIPA and CYFSA privacy law:C. The ransomware attacks
[18] In 2022, the information systems of Halton and SickKids were targeted by separate ransomware attacks. Ransomware is a type of malware that encrypts the victim’s data, making it inaccessible until a ransom is paid.
[19] As the Applicants indicate, there are different ways attackers (or “threat actors”) go about encrypting data. One is by encrypting individual data files identified on various computers or servers. Another is by encrypting operating system files which are stored in virtual disk images or “containers”, which house individual files. If encryption occurs at the container level, the act of encryption does not itself indicate that the threat actor has accessed, viewed, or exfiltrated the data within the container. Rather, once the container is encrypted, neither the threat actor nor the health information custodian or service provider can access or view its contents until it is decrypted.
[20] On February 22, 2022, Halton became aware of a ransomware attack on its systems (the Halton “attack” or “ransomware attack”). On December 18, 2022, SickKids discovered the ransomware attack on its systems (the SickKids “attack” or “ransomware attack”).
[21] Each Applicant advised the IPC of the ransomware attack affecting their systems within a few days of learning of it. However, as explained below, the Applicants say they provided notice to the IPC as a courtesy only, arguing that the statutory notification requirement was not engaged.
[22] Despite taking that position, SickKids (unlike Halton) provided public notice of the SickKids attack by announcement on its website and social media on December 19, 2022, the day after learning of the attack. SickKids provided further public updates on December 22, 23 and 29, 2022 and January 5, 2023, confirming their conclusion that there was no evidence of any impact on personal health information. SickKids’s public disclosure did not refer to an individuals’ entitlement to make a complaint to the IPC under s. 56 of PHIPA.
D. The IPC review
[23] After receiving notice from the Applicants, the IPC opened a file about the ransomware attacks and requested further information. Both Applicants had retained legal counsel and forensic/cybersecurity experts to assist in containment and investigation of the attacks. The Applicants and their counsel provided the IPC with updates of the progress of their investigations and other requested information.
[24] As a result of their investigations, the Applicants concluded that the encryption of their servers occurred at the container level. They advised the IPC that certain information was temporarily unavailable, but they were able to recover information from back-up systems and their day-to-day operations were largely unaffected. They also advised that their investigations found no evidence that any personal information had been viewed, opened, accessed, copied or exfiltrated.
[25] On March 7, 2023, the IPC issued a Notice of Review under s. 318(1) of the CYFSA, to determine whether the Halton attack gave rise to a notification obligation under s. 308(2) of the CYFSA. In its submissions and throughout the review, Halton argued that the Halton attack did not result in any unauthorized “use” or “disclosure”, or (in supplementary submissions) any “loss” of personal information such that notice was required.
[26] On June 1, 2023, the IPC issued a Notice of Review under s. 58(1) of PHIPA relating to the SickKids attack to determine whether the container-level encryption of systems containing personal health information gave rise to a notification obligation under s. 12(2) of PHIPA. In its submissions and throughout the review, SickKids emphasized that the SickKids attack did not result in any theft, loss, or unauthorized “use” or “disclosure” of personal health information in its custody or control since no personal health information had been viewed, accessed, copied, exfiltrated, or otherwise interacted with by the threat actor.
[27] To explain the method of encryption and its lack of impact on any data files containing personal health information, SickKids drew an analogy to a filing cabinet, stating that container-level encryption is akin to changing the lock on the cabinet, which renders the files inside inaccessible but otherwise intact and their contents unaffected. The IPC accepted this analogy in its decision: SickKids Decision, at para. 32.
|
