|
Privacy - CYFSA. Hospital for Sick Children v. Ontario (Information and Privacy Commissioner) [ransomware]
In Hospital for Sick Children v. Ontario (Information and Privacy Commissioner) (Ont Div Ct, 2025) the Ontario Divisional Court dismissed a FIPPA JR, this against a "decision of the respondent Information and Privacy Commissioner of Ontario" (IPC) where "the IPC found that privacy breaches had occurred, and that the Applicants had failed to comply with the requirement to notify affected individuals".
Here the court notes the outcome of the appeal/JR case, and illustrates the IPC's ruling treatment of it (which was upheld in the result):[3] At issue before the IPC was alleged non-compliance with Ontario privacy legislation. Under that legislation, the Applicants are required to notify individuals, at the first reasonable opportunity, of the theft, loss, or unauthorized use of their personal information that is in the Applicants’ possession or control. The notification is required to include a statement about the individuals’ entitlement to make a complaint to the IPC about the privacy breach.
[4] Following separate cybersecurity incidents (known as “ransomware” attacks), the Applicants were temporarily unable to access individuals’ personal information on the Applicants’ servers. After investigation, the Applicants concluded that the perpetrators were not able to view, access or exfiltrate any of the data. Both Applicants notified the IPC of the ransomware attacks but took the position that the requirement to notify affected individuals had not been engaged. SickKids (but not Halton) publicly disclosed the attack, without referring to the entitlement to complain to the IPC.
[5] In the Decisions, the IPC found that privacy breaches had occurred, and that the Applicants had failed to comply with the requirement to notify affected individuals. In the Halton Decision, the IPC ordered Halton to provide the required notice by posting a notice on its website or issuing a public release. In the SickKids Decision, the IPC did not issue a remedial order. The adjudicator found no useful purpose in doing so, given SickKids previous public disclosure.
....
E. The Decisions
[28] The IPC adjudicated and issued both the SickKids Decision and the Halton Decision on July 5, 2024. In each case, for substantially similar reasons, the IPC found that ransomware attack resulted in both an unauthorized “use” and a “loss” of personal information within the meaning of the applicable legislation. Therefore, the IPC concluded that the Applicants were required to notify affected individuals of the attacks “at the first reasonable opportunity”: see PHIPA, s. 12(2); CYFSA, s. 308(2).
[29] On the same day as the Decisions, the IPC issued two other decisions that stemmed from cyberattacks on health information custodians subject to PHIPA: Kingston, Frontenac and Lennox & Addington (KFL&A) Public Health (Re), 2024 CanLII 67096 (ON IPC); Simcoe Muskoka District Health Unit (Re), 2024 CanLII 67094 (ON IPC). In each decision, the IPC found that cyberattack resulted in both an unauthorized “use” and a “loss” of personal information within the meaning of s. 12(2) of PHIPA. These decisions (like the Decisions being considered by this panel) each included the same statement under the heading “Overview” (in each case at para. 2):As these decisions illustrate, a cyberattack on an organization’s information systems may trigger the duty to notify whether or not the attacker takes further malicious action (like using stolen identity information, or demanding a ransom) with the affected information. i. Unauthorized use of information
[30] In the SickKids Decision, at paras. 39-43, the IPC provided the following justification for its finding that the ransomware attack result in an unauthorized “use” of personal health information within the meaning of s. 12(2) of PHIPA:39. I accept the hospital’s evidence that the threat actor’s encryption of hospital servers occurred at the container level, rather than at the level of individual files of personal health information housed within those severs. For the purposes of this decision, I am also prepared to accept the hospital’s evidence that the threat actor did not view or access any individual files of personal health information housed within the hospital’s environment that the threat actor infiltrated. However, the question remains whether the personal health information in the affected servers was “handled” or “otherwise dealt with,” and thus “used” within the meaning of PHIPA. I find that the personal health information was used in this way.
40. This is because I do not accept the hospital’s assertion that the threat actor’s locking (by encryption) of external containers housing personal health information has no effect on that information. Instead, it is my view that the transformation (by encryption) of external containers also transforms the personal health information housed within those containers—at a minimum, by making that personal health information unavailable and inaccessible to authorized users of that information. The effect of making unavailable to the hospital the personal health information held within the encrypted containers is, I find, a kind of “handling” of or “dealing with” that information, and thus a use within the meaning of PHIPA.
41. The hospital argues that to the extent any personal health information was inaccessible during the ransomware attack, backups of that information were readily available. But the restoration of personal health information from backups does not negate the fact that something happened to the personal health information inside the encrypted containers, giving rise to the need to restore that information. The availability of backups to restore the affected personal health information does not preclude a finding of use.
42. I also note that this use of personal health information occurs whether or not the threat actor actually views or accesses specific files of personal health information held within the affected containers, or exfiltrates that information outside the hospital’s environment. It is my finding that the act of encrypting containers housing personal health information is, by itself, a use of that information within the meaning of PHIPA.
43. There is no claim that this use occurred with the appropriate consent, or was permitted or required to be done without consent under PHIPA. In these circumstances, the threat actor’s encryption of hospital servers was an unauthorized use of personal health information within the meaning of section 12(2). [31] In the Halton Decision, at paras. 52-55, the IPC provided substantially similar reasoning for finding that the Halton ransomware attack resulted in an unauthorized use of personal information within the meaning of s. 308(2) of the CYFSA.
ii. Loss of information
[32] In the SickKids Decision, at paras. 47-53, the IPC provided the following justification for its finding that the ransomware attack result in the “loss” of the personal health information within the meaning of s. 12(2) of PHIPA:47. The hospital submits that a finding of loss in this case would not be supported by the case law and would not reflect the mechanics of the encryption that occurred. The hospital says that previous IPC decisions that found a loss of personal health information involved situations where that information was destroyed or misplaced—where the losses were crystallized and, to a degree, permanent. By contrast, the hospital says, the ransomware attack at issue here did not result in a permanent lack of access to the affected servers or to the personal health information contained in them, since backups of the servers were not affected by the attack and were available to support the hospital’s clinical functions. In these circumstances, the hospital says, there was no “loss” of personal health information.
48. A robust backup policy is an important component of an organization’s information security practices. In this case, the hospital had in place policies and practices that enabled it to quickly restore its information systems and resume its clinical functions. The hospital’s information practices were key to its ability to quickly recover from the cyberattack.
49. However, the restoration of affected systems from backups does not negate the fact that, for some period of time, personal health information in the custody or control of the hospital was made inaccessible to it as a result of the threat actor’s attack on its information systems. Specifically, the ransomware encryption attack had the effect of denying authorized users (i.e., the hospital) access to personal health information that it required to provide services. As the hospital publicly reported, the consequences of this loss of availability included delays retrieving lab and imaging results, and some resulting diagnostic and treatment delays.
50. The distinction drawn by the hospital between encryption occurring at the file level and encryption occurring at the container level makes no practical difference to my finding. In either case, the effect on an individual’s personal health information is the same: that information is made unavailable to the authorized user of that information because of an unauthorized activity. I find this is a “loss” of that information within the meaning of section 12(2) of PHIPA, and the duty to notify is thus also triggered for this reason.
51. In defining loss in this way, I distinguish this situation from other routine or non-routine disruptions in a custodian’s ability to access or otherwise use personal health information in its custody or control for authorized purposes. For example, a scheduled software or hardware maintenance operation or an unexpected power outage may also disrupt, for a temporary period, a custodian’s ability to access personal health information in its custody or control for authorized purposes. An overly broad interpretation of the terms “lost” and “loss” in section 12(2) could require the notification of individuals in situations like these, which would not in my view serve the purpose of the duty to notify. Further, it is not difficult to imagine how an overly broad interpretation of loss could lead to notification fatigue on the part of the public, disproportionate costs to the custodian, and other unintended and undesirable consequences.
52. Instead, I adopt a purposive definition of these terms in section 12(2) that, in the context of a ransomware attack, contemplates notice to affected individuals where there has been an unauthorized action in respect of their personal health information. It is consistent with the purposes of section 12(2) that individuals be notified of a third party’s malicious action done with the intention of, and having the effect of, denying a custodian access to those individuals’ personal health information in the custodian’s custody or control.
53. The purpose of the duty to notify in these circumstances is to inform individuals about the unauthorized action involving information that, in a fundamental sense, belongs to them. These individuals should be made aware if the custodian is not able to access their personal health information as a result of unauthorized activity, and of the risks associated with that activity. It is also consistent with a purposive reading of this section not to require notification in a situation like routine maintenance or a power outage, which may disrupt a custodian’s ability to access personal health information, but which is not the result of unauthorized activity and is not likely to increase the risk of unauthorized activity. The latter situations generally would not qualify as a loss under section 12(2). The different outcomes in these different scenarios are in keeping with the purposes of the duty to notify in PHIPA.
[Footnotes omitted.] [33] In the Halton Decision, at paras. 58-64, the IPC provided substantially similar reasoning for finding that the ransomware attack resulted in the loss of personal information within the meaning of s. 308(2) of the CYFSA.
iii. Remedy
[34] In the SickKids Decision, the IPC noted that SickKids made appropriate public disclosure of the SickKids attack in its aftermath. However, the IPC found that the notice did not comply with s. 12(2) of PHIPA because it did not include a statement about the right to complain to the IPC. The IPC also decided that there was no useful purpose in directing SickKids to provide notice of the right to complain at that time. Therefore, the IPC concluded its review without issuing a remedial order.
[35] In the Halton Decision, in the absence of prior public disclosure of the Halton attack, the IPC decided to make a remedial order as a result of Halton’s noncompliance with the notification requirement in s. 308(2) of the CYFSA. As set out in the Summary of the Halton Decision, the IPC found:After taking into account relevant circumstances, including the evidence of diligent efforts by the [Halton] CAS to contain and to mitigate the risks of the privacy breach, the adjudicator finds that the notice requirement can be met in this case through the posting of a general notice on the CAS’s website, or another form of indirect public notice. The adjudicator orders the CAS to provide this notice within 30 days of the date of this decision. [36] In deciding the notice on Halton’s website or other form of indirect notice was sufficient, the IPC considered and rejected requiring Halton to provide direct notice to individuals, stating that it was satisfied that a flexible approach to notification is appropriate in the circumstances: Halton Decision, at para. 75. . Hospital for Sick Children v. Ontario (Information and Privacy Commissioner)
In Hospital for Sick Children v. Ontario (Information and Privacy Commissioner) (Ont Div Ct, 2025) the Ontario Divisional Court dismissed a joint appeal/JR, this against a "decision of the respondent Information and Privacy Commissioner of Ontario" (IPC) where "the IPC found that privacy breaches had occurred, and that the Applicants had failed to comply with the requirement to notify affected individuals".
Here the court considers some personal information duties under the CYFSA:ii. CYFSA “service provider”
[15] As a “service provider” under the CYFSA, Halton has corresponding obligations relating to the “personal information” in its custody or control. Section 308 of the CYFSA provides:Steps to ensure security of personal information
308(1) A service provider shall take reasonable steps to ensure that personal information that has been collected for the purpose of providing a service and that is in the service provider’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.
Notice of theft, loss, etc. to individual
(2) Subject to any prescribed exceptions and additional requirements, if personal information that has been collected for the purpose of providing a service and that is in a service provider’s custody or control is stolen or lost or if it is used or disclosed without authority, the service provider shall,
(a) notify the individual to whom the information relates at the first reasonable opportunity of the theft, loss or unauthorized use or disclosure; and
(b) include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under section 316.
Notice to Commissioner and Minister
(3) If the circumstances surrounding the theft, loss or unauthorized use or disclosure meet the prescribed requirements, the service provider shall notify the Commissioner and the Minister of the theft, loss or unauthorized use or disclosure.
[Emphasis added.] [16] The terms “use” and “lost” (or “loss”) are not defined in the CYFSA.
[17] The entitlement to make a complaint to the Commissioner under Part X of the CYFSA is set out in s. 316(1), which provides:Complaint to Commissioner
316(1) A person who has reasonable grounds to believe that another person has contravened or is about to contravene a provision of this Part or the regulations made for the purposes of this Part may make a complaint to the Commissioner.
|
