Case of Note: File MR23-00112 Background In November 2023, the Toronto Public Library (TPL) reported a cybersecurity breach to the Office of the Information and Privacy Commissioner of Ontario (IPC). The breach, which related to a ransomware attack, was first detected in October 2023 when TPL
A cybersecurity attack on Innomar Strategies’ systems resulted in the exfiltration of a significant number of individuals’ personal health information. The threat actor(s) gained access to an affiliate through a system vulnerability and moved laterally to gain access to Innomar’s systems. Read the
On Safer Internet Day, Commissioner Kosseim joined the Future of Privacy Forum’s webinar on protecting young people online, highlighting how strong security measures help safeguard their privacy, safety, and digital rights.
Case of Note: PHIPA Decision 266 Background A complaint was brought to the Information and Privacy Commissioner of Ontario (IPC) alleging that a health clinic had failed to securely dispose of records of personal health information (PHI). To support the allegations, photographs of patient records
Case of Note: PHIPA Decision 221 (interim) and PHIPA Decision 230 (final) Background The Information and Privacy Commissioner of Ontario (IPC) was contacted about a case of potentially abandoned medical records at a storage facility. The report came from a property management company that was acting
A social engineering attack at a TDSB high school led to the unauthorized access of personal information belonging to current and former students, parents and staff across several schools. The threat actor gained unauthorized access to the affected schools’ systems by obtaining the login credentials
A cyberattack on the Toronto Public Library exposed vulnerabilities in its systems that contained a significant number of individuals’ personal information. Read the closing letter to learn about how the case was settled at the Early Resolution Stage.
This publication outlines the key obligations of police under privacy legislation in their use of ALPR systems. This is an update of the guidance document originally published in 2017, and provides recommendations, including best practices, on using these systems in a privacy-protective manner
Innovators, public institutions, and regulators are continually challenged by rapidly emerging technologies, such as artificial intelligence, and understanding how privacy laws apply to ensure compliance. This report, funded by the Social Sciences and Humanities Research Council, was co-authored by
Case of Note: PHIPA Decision 260 Background A public hospital was alerted to suspicious activity on a patient chart, and initiated an investigation, which included a targeted audit. The audit revealed that nearly 4,000 patient charts had been accessed by a physician without authorization, from a
