Ontario Court Rules Cyber Incidents Trigger Notification Obligations Even Where Data Not Accessed

On September 16, 2025, the Ontario Superior Court of Justice Divisional Court (the Court) issued its decision in Hospital for Sick Children v. Ontario (Information and Privacy Commissioner), 2025 ONSC 5208, upholding decisions of the Information and Privacy Commissioner of Ontario (IPC) which found that encryption-only cyber incidents give rise to notification obligations  under Ontario’s Personal Health Information Protection Act (PHIPA) and Child, Youth and Family Services Act, 2017 (CYFSA).

In 2022, The Hospital for Sick Children (SickKids) and Halton Children’s Aid Society (CAS) experienced separate ransomware attacks that encrypted their systems, temporarily blocking access to individuals’ personal information (PI) and personal health information (PHI). The organizations’ investigations found no evidence of data being viewed, accessed, or exfiltrated—only encrypted at the “container” level. Both organizations reported the incidents to the IPC but took the position that the encryption-only cyber incidents did not trigger individual notification requirements under applicable legislation. SickKids, unlike CAS, also publicly disclosed the attack but did not include information about individuals’ right to file a complaint with the IPC, as required under PHIPA.

Following its investigations, the IPC concluded that both cyber incidents constituted unauthorized “use” and “loss” of PI and PHI under PHIPA and CYFSA, and the IPC found that both organizations had failed to satisfy their corresponding notification obligations. CAS was ordered to notify affected individuals via its website or a public release, but no remedial order was issued to SickKids, as the IPC determined it would serve no useful purpose. Both organizations sought judicial review of the IPC’s decisions, and CAS appealed the IPC’s order.

The Court dismissed the appeal and judicial review applications, determining the IPC to not be unreasonable in finding there was unauthorized “use” of PI and PHI that gave rise to a requirement to notify affected individuals. It also noted that “use” can occur without direct interaction with the information. The Court further clarified that notification requirements not only serve to inform individuals of potential risks, but to enable IPC oversight of Ontario’s access to information and privacy laws.

Summary By: Claire Bettio