A worrying rise in cyberattacks in the MUSH sector

Over the past several years, Ontario organizations have become increasingly vulnerable to cyberattacks. According to the Canadian Internet Registration Authority’s 2024 Cybersecurity Survey, the risks of cyberattacks, particularly to municipalities, universities, schools and hospitals —or the MUSH sector — are on a rise. The survey found that 55 per cent of MUSH sector organizations had experienced a cyberattack in 2024, compared to 38 per cent in 2023. Of these attacks on MUSH sector organizations in 2024, 29 per cent were successful, compared to 22 per cent in 2023.  

MUSH sector organizations store vast amounts of personal information and must maintain critical operations through thick or thin, leaving them particularly at the mercy of cyberattacks. While some hackers focus on locking down data to disrupt services, others threaten to publish sensitive personal information on the dark web. In either case, organizations must act quickly to contain the breach, recover the data, and investigate the root cause. Organizations affected by cyberattacks must notify those affected in a timely and appropriate manner, considering factors such as the number of people impacted, the sensitivity of the data involved, and any ongoing privacy risks. And most importantly, organizations must put in place remedial measures to minimize the risks of such breach from recurring. 

Responding to cyberattacks   

Throughout 2024, the IPC received a number of high-profile breach reports by institutions that had been subject of major cyberattacks. In several of these cases, the IPC resolved these cases by ensuring the affected institutions contained the breach, took satisfactory steps to identify the root cause, notified affected individuals, and implemented remedial measures to prevent future attacks. Among these resolved cases are MOVEit (in relation to a prescribed person under PHIPA), Innomar Strategies, Toronto Public Library, and the Toronto District School Board.

Other cyberattack incidents that could not be resolved early on proceeded to a fuller investigation by the IPC. An example is PHIPA Decision 249. This investigation involved a ransomware attack on a medical imaging clinic, compromising over 500,000 patient records. Unfortunately, the clinic ended up having to pay the ransom to restore access to its records and resume providing health services. The clinic responded to the attack by shutting down its servers immediately and engaging cybersecurity experts to investigate the source of the breach. The IPC found that the clinic acted appropriately in containing the breach, notifying affected individuals, and improving cybersecurity measures on a go-forward basis, including by limiting administrative access and maintaining reliable offline backups.

Encryption: To notify or not to notify? 

When personal information is locked down or encrypted by a threat actor — making it inaccessible or unavailable to authorized users — it can be considered a loss or unauthorized use of that information. This is so even if the files themselves aren't accessed or taken (exfiltrated) from the system. In a series of four decisions issued in 2024, the IPC clarified the obligation of organizations to notify affected individuals in such cases.  

Three of these cases (PHIPA Decision 253, PHIPA Decision 254 and PHIPA Decision 255) involved health information custodians (HICs) subject to the Personal Health Information Protection Act (PHIPA), and the fourth case (CYFSA Decision 19) involved a children’s aid society subject to Part X of the Child, Youth and Family Services Act (CYFSA). In all four cases, the organizations took the position that there was no duty to notify affected individuals because there was no evidence that personal health information or personal information was exfiltrated from their systems. The IPC disagreed, finding that the loss or unauthorized use or disclosure of personal (health) information triggered the duty to notify affected individuals under PHIPA, even if the cyberattack did not result in the exfiltration of the information. 

Two of these respondent organizations, the Hospital for Sick Children (SickKids) and the Halton Children’s Aid Society, disagreed with the IPC’s decisions and filed for judicial review of PHIPA Decision 253 and CYFSA Decision 19, respectively (see IPC in the courts). 

Ensuring privacy protections on university campuses

In 2024, the IPC addressed significant privacy concerns related to the use of personal data in university settings, reinforcing the need for transparency, consent, and compliance with privacy laws.

In PHIPA Decision 243, the IPC investigated an anonymous complaint from a group of physicians regarding the UTOPIAN health research database at the University of Toronto. The physicians alleged that the personal health information used to populate the database had been extracted without patient consent and without providing them with sufficient information about the research. The physicians also alleged that the personal health information was not adequately de-identified before being sold or otherwise provided to third parties. 

The IPC’s investigation found that the University had violated several research conditions of section 44 of PHIPA. Of significant concern was the fact that the university had been operating UTOPIAN for some time after the Research Ethics Board (REB) approval had lapsed and had not informed the participating physicians of this. The investigation also found that the university failed to provide copies of the research plans to the physicians and did not effectively amend these research agreements to reflect the expanded information it began collecting, using and retaining from patient records. Although patient consent was not required, the university failed to conduct the required site visits to ensure compliance with patient notice requirements in doctors’ offices. The IPC found no concerns with the deidentification method being used, and no evidence of unauthorized data sale to commercial third parties.  

The IPC recommended that the university update its research agreements with contributing physicians to reflect its current practice and that it comply with the terms of those agreements. The IPC also recommended that the university update its means of notifying patients about the project, conduct a reidentification study to assess the continuing effectiveness of its deidentification procedures, and improve its transparency with physicians who agreed to provide patient data to the research database. 

This case highlights the importance of compliance with privacy regulations to maintain ethical research practices and public trust in the use of health data for research.

Lessons from Waterloo: The importance of due diligence in smart tech procurement  

In February 2024, media reports brought to light that intelligent vending machines equipped with face detection technology had been installed on the University of Waterloo’s main campus. These machines were part of a snack vending services agreement between the university and a third-party provider.

The IPC’s investigation found that the machines used cameras to capture identifiable facial images, resulting in an unauthorized collection of personal information and a privacy breach. However, there was no evidence indicating that identifiable information was further used or disclosed. The collection occurred without proper notice to individuals.

The investigation further revealed that these issues resulted from flaws in the university’s tendering and procurement process. Specifically, the process failed to examine the full supply chain and did not identify or assess the use of facial detection technologies in the machines.

When institutions are considering smart technologies — particularly those involving facial detection — they need to take steps to understand what’s being deployed. This includes conducting a privacy impact assessment and information risk assessment where appropriate and ensuring that any third-party providers are properly vetted.

Following the IPC’s investigation, the university confirmed it has stopped using the vending machines, eliminating any ongoing risk to students and staff. 

A wake-up call for physician privacy training

In PHIPA Decision 260, a public hospital reported a privacy breach after one of its physicians accessed thousands of patient records without authorization. The hospital audited the physician’s access and interviewed him directly. The physician, who had recently joined the hospital, told the hospital he believed he was allowed to review the records for educational purposes. While there was no evidence of targeted snooping or personal ties to the patients, the physician accessed the records of nearly 4,000 individuals who were not under his care.

The IPC investigation found that although the hospital had policies in place requiring privacy training and signed confidentiality agreements for all staff, it wasn’t enforcing these requirements for its physicians. Unlike other staff, physicians weren’t receiving privacy training or re-signing confidentiality agreements each year, and their compliance wasn’t being tracked. In addition, the hospital had no policy or guidance about using personal health information for education purposes, an oversight that contributed directly to this breach. 

In the months that followed, the hospital made significant improvements. It launched an electronic system to ensure that all staff — including physicians — receive annual privacy training and sign updated confidentiality agreements. It put systems in place to monitor compliance and follow up when training isn’t completed. It also revised its policies to clarify that staff may not use personal health information for education purposes unless they have specific permission. 

This case highlights the importance of not just writing privacy policies but implementing them, tracking compliance, and making sure everyone – physicians included – comply with the rules and understand what is and isn’t allowed when it comes to accessing patient information. 

Out of sight is not out of mind: Ensuring secure disposal of health records

In PHIPA 266, the IPC investigated a complaint about a health clinic that failed to securely dispose of paper records containing personal health information (PHI). Patient records were found discarded in an unsecured recycling bin. Although many documents were shredded or torn by hand, IPC investigators were able to recover sensitive details, including names, birthdates, and medical history.

The clinic admitted it had no formal privacy or disposal policies in place and had relied on informal, verbal instructions. The investigation found the clinic was not in compliance with its legal obligations under PHIPA, including the duty to take reasonable steps to protect PHI and to securely dispose of it.

To address these issues, the clinic implemented new privacy and records policies, updated its employee handbook with PHIPA resources, and introduced mandatory staff training with written attestations, on the basis of which the case was resolved. 

For health information custodians looking to get rid of old patient files at the end of their applicable retention period, this case provides key insights. It highlights the importance of having clear, written policies on how personal health information must be securely disposed of and regularly training staff on their privacy-related responsibilities. Paper records must be properly shredded using a cross-shred or micro-cut shredder (and not just hand torn) to prevent reconstruction. If disposal is handled by a third party, there should be a formal agreement outlining how records will be securely destroyed. Further, organizations must be prepared to notify individuals promptly when their information is lost, stolen, or improperly disclosed.