Redactions requested for information on software products, password policies, file structures
In a recent case involving the fallout of an encryption-based cybersecurity attack on a hospital, the Ontario Divisional Court granted the hospital’s motion for a sealing order of information relating to its technology and security safeguards.
The hospital, which was the applicant in this case, faced a ransomware encryption attack on Dec. 18, 2022. The incident affected its clinical and corporate systems, communications, and webpages. It also led to delays in sending prescriptions, retrieving lab results and imaging results, and providing diagnoses and treatment.
The hospital succeeded in containing the attack on Dec. 23, 2022 and in restoring nearly half of its priority systems by Dec. 29, 2023. It reported the incident to the Information and Privacy Commissioner of Ontario (IPCO), which began an investigation.
During a formal review, the IPCO considered whether it was necessary to notify the patients and others whose personal health information the attack might have affected. The question was whether there was an unauthorized disclosure, use, or loss of this information under s.12(1) of Ontario’s Personal Health Information Protection Act, 2004.
The hospital provided information about its technology and security safeguards in response to the IPCO’s numerous information requests throughout the investigation. The IPCO’s adjudicator kept the information confidential by omitting from the decision any details that could potentially increase the hospital’s vulnerability to cyber attacks.
The hospital then moved for a sealing under s.137(2) of Ontario’s Courts of Justice Act, 1990. It wanted to redact limited information from a few documents included in the record of proceedings.
The requested redactions involved information on third-party service providers, software products, infrastructure and network configuration, password policies, file structures, address protocols, incident response protocols, and details of the cyber attackers’ communications.
The hospital alleged that redacting this information would help protect information that was important for the safety and security of its information technology systems and its uninterrupted delivery of critical paediatric medical care.
In The Hospital for Sick Children v. Information and Privacy Commissioner of Ontario, 2025 ONSC 385, the Divisional Court of the Ontario Superior Court of Justice granted the motion after it found that this case met the three-part test provided by Sherman Estate v. Donovan, 2021 SCC 25.
First, the court found that publishing the information sought to be redacted could possibly expose the hospital to the risk of cybersecurity attacks in the future.
Second, the hospital was seeking minimal redactions to protect itself from future cyber attacks as well as to protect its patients, staff, and their families, which amounted to an important public interest, the court said.
Lastly, the court saw no reasonable or proportionate alternative to the sealing order. Given these findings, the court court awarded the hospital the motion’s costs due to its success in the motion.
