• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • EN | FR
Background Image
Bennett Jones Logo
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Energy Infrastructure Mining Private Equity & Investment Funds View all
Advisory
Crisis & Risk Management Public Policy
View Client Work
International Experience
Insights News Events Subscribe
Arbitration Angle Artificial Intelligence Insights Business Law Talks Podcast Class Actions: Looking Forward Class Action Quick Takes
Economic Outlook New Energy Economy Series Quarterly Fintech Insights Quarterly M&A Insights Sustainability & the CIO
People
Offices
About
Practices
Industries
Advisory Services
Client Work
Insights
News
Events
Careers
Law Students
Alumni
Payments
Search
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Healthcare Data: Are You Required to Report a Ransomware Attack?

July 25, 2017

Written By Ruth E. Promislow and Ethan Z. Schiff

If you are a healthcare data custodian that is subject to a ransomware attack, you may be required to report the incident to regulators and to those individuals whose information was subject to the attack.

Ransomware attacks typically involve a hacker encrypting user data until the custodian pays a ransom to have the hacker provide a decryption key. The hacker is not necessarily able to view the data.

Part I of the federal Personal Information Protection and Electronic Documents Act (PIPEDA)1 does not apply to health data custodians collecting, using or disclosing personal information in Ontario.2 Instead, healthcare data storage in Ontario is regulated under the Personal Health Information Protection Act, 2004 (PHIPA),3 which the Governor in Council of Canada has deemed to be substantially similar to PIPEDA.4

Once regulations are in place, the PIPEDA regime will require notification to the Privacy Commissioner and individuals whose data has been compromised if a cyberattack creates a real risk of significant harm to the individual. Arguably, a ransomware attack does not create any risk of harm to the party whose data is encrypted if the attacker does not access the information in a decrypted form. Entities subject only to PIPEDA, therefore, may not be obliged to report ransomware attacks.

Unlike the PIPEDA regime, however, under ss. 12(2) and 12(3) of PHIPA, individuals and the Information and Privacy Commissioner must be notified if personal information is “stolen or lost or if it is used or disclosed without authority.” Typically, a ransomware attack does not result in the loss or theft of personal information. The question that arises therefore is whether a ransomware attack results in the disclosure of the personal data.

Some American regulators interpreting similar regulatory regimes consider ransomware attacks to result in a “disclosure”.5 The United States Office of Civil Rights of the Department of Health and Human Services, which is responsible for regulating under the American Health Insurance Portability and Accountability Act, stated in its fact sheet as follows:

When electronic protected health information (ePHI) is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.6

The United States Office of Civil Rights requires notification to individuals whose information was encrypted after a ransomware attack unless the custodian had previously properly encrypted the “ePHI” within the recommended guidelines.7

Though Canadian regulators have not issued any similar statement, the United States Office of Civil Rights’ interpretation may be some indication as to whether a ransomware attack will be deemed to be a disclosure under the PHIPA regime.

A healthcare data custodian that fails to comply with PHIPA may be subject to various orders of the Information and Privacy Commissioner under s. 61(1), including orders requiring the organization to cease collecting healthcare data and implement certain information practices.

Further, failure to comply with PHIPA could be used as evidence in related civil claims.  Healthcare data custodians that are subject to a cyberattack may be held liable under common law causes of action, including torts for invasion of privacy.8 Such organizations may be particularly vulnerable to liability from a cyber breach based on claims that the organization has a fiduciary duty to those individuals whose information is stored and therefore has a heightened duty of care.

In order to minimize repercussions on the regulatory front or from potential civil claims, organizations that store healthcare data and are subject to a ransomware attack, should consult counsel to understand their reporting and notification obligations.9

The Bennett Jones Cybersecurity team is available to assist.

1 SC 2000, c 5, s 4.

2 See http://www.health.gov.on.ca/english/providers/project/priv_legislation/phipa_pipeda_qa.html#4.

3 2004 SO, c 3, Sched A. See also Alberta’s Health Information Act, RSA 2000, c H-5.

4 Health Information Custodians in the Province of Ontario Exemption Order, SOR/2005-399.

5 See https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

6 Ibid.

7 Ibid.

8 See Hopkins v Kay, 2015 ONCA 112.

9 New amendments to PHIPA will be coming into force soon specifically dealing with electronic health information. These provisions apply a similar approach to that already existing under PHIPA.

Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.

For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.

Download PDF

Authors

  • Ruth E. Promislow Ruth E. Promislow, Partner
  • Ethan Z. Schiff Ethan Z. Schiff, Partner

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

BC Government Streamlines Renewable Energy Regulatory [...]

May 09, 2025
       

Blog

BBHIC 2025: Key Insights From Canada’s Leading Healthcare [...]

May 08, 2025
       

Blog

Upending the Ground Rules: Proposed Major Overhaul [...]

May 08, 2025
       

Blog

Government of Alberta Proposes Significant Changes [...]

May 06, 2025
       

Blog

What Does the SPAC IPO Rebound Mean for Cross-Border Deals?

May 05, 2025
       
Bennett Jones Centennial Footer
Bennett Jones Centennial Footer
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2025. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones