Court File and Parties

CITATION: The Hospital for Sick Children v. Information and Privacy Commissioner of Ontario, 2025 ONSC 385

DIVISIONAL COURT FILE NO.: DC-24-449-JR

DATE: 2025-01-17

SUPERIOR COURT OF JUSTICE – ONTARIO

DIVISIONAL COURT

RE: THE HOSPITAL FOR SICK CHILDREN, Applicant AND: INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO, Respondent

BEFORE: SHORE J.

COUNSEL: Christine Muir and Travis Walker, for the Applicant Brendan Gray, for the Respondent

HEARD at Toronto: January 16, 2025

Endorsement

[1] The Applicant, the Hospital for Sick Children ("SickKids" or the "hospital"), brought a motion for a sealing order, under ss.137(2) of the Courts of Justice Act, to redact some limited information in the record of proceedings.

[2] The motion is granted, as requested.

[3] On December 18, 2022, there was an encryption-based cybersecurity attack on the hospital, and specifically a ransomware encryption attack. The incident disrupted clinical and corporate systems, phone lines and webpages. There were delays in sending prescriptions and retrieving lab results and imaging results, causing longer diagnostic and treatment wait times.

[4] By December 23, 2022, the incident was contained and by December 29, 2023, roughly 50% of the hospital’s priority systems had been restored.

[5] After the attack, the hospital reported to the Information and Privacy Commissioner of Ontario ("IPCO"). The IPCO commenced an investigation, and then a formal review under the Personal Health Information Protection Act (PHIPA), including whether notice to patients or others whose personal health information may have been impacted by the incident was required.

[6] The issue on the application for judicial review and appeal is whether the incident resulted in unauthorized "disclosure" or "use", or "loss" of personal health information, within the meaning of s.12(1) of PHIPA. The hearing is scheduled for May 1, 2025.

[7] SickKids cooperated with the investigation. In the course of the investigation, the hospital responded to multiple requests for information from IPCO, including information about its technology and security safeguards. The IPCO adjudicator agreed to keep this information confidential and omitted from the decision details of the hospital's cybersecurity infrastructure, security measures and other details that could put the hospital at an increased risk of future cyberattacks.

[8] The hospital is seeking to redact similar information, found in only a few documents, that form part of the Record of Proceedings.

[9] The hospital submits that the redactions protect certain information critical to the safety and security of the hospital's information technology systems, and thus the uninterrupted operation of critical paediatric medical care that it provides.

[10] The information being redacted is information regarding third party service providers, software products installed on their network, their infrastructure and network configuration, password policies, file structures, address protocols, particulars of the communications from the cyber attackers, and their incident response protocols.

[11] In considering the three-part test set out in Sherman Estate v. Donovan, 2021 SCC 25, I accept that the publication of this information is prejudicial to SickKids, as it increases the hospital's exposure and vulnerability to future cybersecurity attacks. The redactions they seek are minimal, to protect against further cyber attacks in the future, protecting patients, families and staff, an important public interest. There is no reasonable or proportionate alternative. I find this to be reasonable in these circumstances.

[12] The draft order is granted.

Costs:

[13] In response to the motion, IPCO filed a motion record, including affidavit evidence, but no factum. On the eve of this motion, IPCO provided a letter to the court, which is neither proper evidence nor a factum.

[14] In the letter, it states that they are not opposing the motion but providing the letter "to assist the Divisional Court, given the IPC's role as the statutory tribunal responsible for cyber security...". As with other submissions by tribunals assisting the Court, they should have filed a factum. There is no ability to put a letter before the Court on a motion.

[15] IPCO was the only party opposing the motion at the outset. A schedule had been set up with the hospital and IPCO for the exchange of material. IPCO served an affidavit, that the hospital had to address. But for reasons that are unexplained, IPCO then failed to file their factum and sent a letter which had all the trimmings of a factum but was not properly before the Court.

[16] In the letter, IPCO proceeds to provide reasons why the order should not be granted and provides a detailed response to the hospital's factum. Their letter does not "assist" the court by clarifying procedures, policies or the law, but is full of statements of fact. Again, all of this should have been contained in a factum.

[17] IPCO asks that no costs be ordered against it, as it only became involved to assist the Court. That is not the position taken by IPCO up until the filing of their letter. They were the only party opposing the motion, which is why a schedule was set out in my previous direction and a hearing date booked. Filing a letter in lieu of a factum does not absolve them from costs consequences.

[18] I find the Hospital is entitled to their costs of the motion. They were successful on their motion. They were required to proceed with a scheduled motion, including affidavits, factums and reply material as a direct result of IPCO’s actions.

[19] The parties may each serve and file (by uploading onto Case Center) their bill of costs and no more than 2 pages of written submissions as to quantum, within ten days, and email to the court to my attention.

Shore J.

Date: January 17, 2025