519 672 2121

We are shocked and devastated by the senseless crime motivated by hatred and racism that was committed in our community on June 6. We extend our deepest condolences to the friends and family of those who were killed, and wish a full recovery to the surviving young boy who remains in hospital. We stand in solidarity with our Muslim partners, colleagues, clients, friends, and neighbours in rejecting Islamophobia in all forms, and demanding better for our community. Hatred has no place here. It diminishes every one of us. Each of us shares the responsibility for putting an end to it. We recognize that as members of the legal profession, our share of that responsibility is heightened. This unspeakable crime strikes at the very core of the Muslim community’s sense of security and will have a lasting impact. Although this tragedy can never be undone, we believe the goodness in our city will prevail. We commit to be better for each other, to demand better from each other and to share love, kindness and tolerance with one another. We must stand together to build a safer, more inclusive community for all.

Close mobile menu

Professional organizations, including medical, dental and other health care practices, continually depend on technology and digital advancements to collect, store and organize information about their patients. Increasing use of electronic data and electronic medical records creates a heightened risk of cybersecurity threats for many professional practices given the type of information they collect and store about their patients. Such patient information may include names, addresses, birthdates, social insurance numbers, health history, health card numbers, insurance information, and banking information. Taking into account the sensitive nature of this information, it is critical that appropriate steps are taken to safeguard against cyber attacks and security breaches.

Understanding the kinds of threats posed to your professional practice is part and parcel of better protecting yourself. One of the most common threats is Business Email Compromise, also called BEC. BEC is a form of “phishing” that dupes email users into sending otherwise confidential patient information. Using socially manipulative techniques such as imitating a practice manager, hackers are able exfiltrate personal information relating to patients.  

Hackers will also tempt users into clicking on links that open malicious software. Once said software has infiltrated a system, hackers are able to exfiltrate sensitive information, and lock you and your practice out of your computers. Hackers then ask for a ransom, usually in the form of a cryptocurrency, to get access to your computers. This is exactly what happened in 2019, when a malware known as Ryuk attacked three Ontario hospitals. Fortunately, the hackers were unsuccessful in their attempts to exfiltrate patient data, and no ransom was paid.  

In order to better protect patients from these kinds of threats, Ontario developed privacy legislation known as the Personal Health Information Act (PHIPA). PHIPA places unique responsibilities on individuals that control and collect health information. Organizations now have increased statutory obligations to protect patient information. This legislation sets up a framework of mandatory principles and enforceable rules that are intended to protect individuals’ personal health information. Failure to protect patient information and comply with the requirements under PHIPA may result in a host of liability issues. Given the sensitive nature of health information, legislation has set out fines of up to $100,000 for individuals, and $500,000 for institutions. 

Under PHIPA, certain reporting obligations and requirements are imposed on hospitals and health information custodians (HICs) in the event of a privacy breach. Health information custodians include healthcare practitioners, hospitals, pharmacies, as well as others. It is mandatory that HICs report certain privacy breaches, including unauthorized use or disclosure of information; stolen information; further use or disclosure without authority after a breach; a pattern of similar breaches; disciplinary action against a college member or non-college member; as well as any other significant breach, to the Information and Privacy Commissioner of Ontario (IPC)[1]. Additionally, HICs are responsible for submitting statistics with respect to any breaches which did not meet the criteria for mandatory reporting to the IPC. An HIC must submit a report each year setting out statistics with respect to the number of times in the previous calendar year that personal health information in the HICs custody or control was stolen, lost, used without authority and/or disclosed without authority[2].

It is of paramount importance that healthcare practitioners understand the notification requirements under PHIPA, as well as those under the regulatory body governing their professional practice. It is suggested that practitioners work hand in hand with their IT team, staff, and legal counsel to develop an effective strategy to not only safeguard against a potential breach, but to carefully and appropriately handle cybersecurity threats and the risks posed to patient care and privacy.

For more information regarding cybersecurity and the protection of patient information, please feel free to contact our Data, Technology and Privacy Group or our Professionals Practice Group.

[1] O Reg 329/04, s 6.3.

[2] Supra, s 6.4(1).

News & Views


The more you understand, the easier it is to manage well.

View Blog

The SCC’s Greenhouse Gas Pollution Pricing Act Decision: A win for climate change protection, but what’s next?

On March 25, 2021 the Supreme Court of Canada (SCC) released its decision References re Gree…

The future of remote work: Important employer considerations

For many employers, the last 15 months has been a forced experiment on whether large segment…