Complaint HR22-00036 (Re), PHIPA DECISION 210 (ON IPC)
Read more about the case: Complaint HR22-00036 (Re), PHIPA DECISION 210 (ON IPC)
Facts
A public hospital was the victim of a cyberattack during which the threat actor accessed numerous hospital systems. The IPC opened a file relating to this breach, and subsequently received four complaints from affected individuals.
During the data breach, the hospital took immediate steps to disable the affected accounts and fix the firewall issue that had allowed the access to occur. It severed its servers from the Internet and third-party networks, and isolated any systems showing signs of compromise. The hospital disabled all compromised accounts, including the one used by the threat actor, and forced password resets for all accounts in the hospital's active directory. The hospital was not able to contain the data that the threat actor had already transferred out before the hospital found out about the breach. However, it did make efforts to limit any further spread of this data by monitoring the dark web for signs of any data that may have been obtained from this breach.
The hospital notified the public of the breach by posting a Personal Information Public Notice on the hospital's website, and it also self-reported the breach to the IPC by notifying of a breach under the Personal Health Information Protection Act (the Act).
The hospital provided the IPC with numerous guidelines in place addressing information security, all of which were revised following the cyberattack. These included guidance on the strength of passwords, limitations on privileges granted to accounts and firewall protections. The hospital also provided the IPC with a breach protocol specific to cybersecurity incidents, which was put in place following the incident.
Decision
In light of the numerous steps taken by the hospital to remediate the situation, including the guidance now in place, the Commissioner concluded that it was not necessary to pursue a review of the matter under Part VI of the Act.
Key Takeaway
Taking immediate steps to adequately respond to a data breach and implementing remediation steps to resolve harm will factor into the IPC's discretionary decision to review a matter under Part VI of the Act, which can lead to offences, prosecutions and fines.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.