IPC Imposes Second Monetary Penalty Under Ontario’s Health Privacy Law

Overview

On April 23, 2026, the Information and Privacy Commissioner (“IPC”) issued a $2,000 administrative penalty under the Personal Health Information Protection Act, 2004 (“PHIPA”), which marks only the second time the IPC has imposed an administrative penalty under Ontario’s health privacy law.

The penalty follows an incident in which a patient service clerk inappropriately accessed 436 patient records while acting as agent for the Children’s Hospital of Eastern Ontario (“CHEO”). The decision raises questions about whether the IPC is moving toward a more robust use of monetary penalties and underscores the importance of compliance for information custodians.

Background

In October 2024, the IPC received a breach report on behalf of CHEO alleging that a patient service clerk inappropriately accessed the personal health information of 436 patients. CHEO discovered the breach after a nurse inquired about her stepchild’s medical care despite not being a legal guardian. An audit of the patient services clerk revealed that she had improperly accessed the child’s health record, and further investigation showed a broader pattern that revealed hundreds of patient records were inappropriately accessed using CHEO’s electronic system.

Issues

The IPC opined on whether:

A. CHEO complied with its obligations to protect personal health information in its custody or control, including through its agents

B. CHEO responded adequately to the privacy breach

C. The IPC should impose an administrative penalty or any other order against the patient services clerk, given the circumstances of this matter

Outcome

A. Compliance Obligations to Protect Personal Health Information

According to Section 12(1) of PHIPA, information custodians are required to take steps reasonable in the circumstances to secure personal health information in their control. This obligation includes implementing appropriate administrative and technical safeguards, such as privacy policies, procedures and practices, audits, privacy training and awareness programs and initiatives.

The IPC found that CHEO acted reasonably in the circumstances, having a comprehensive protection framework in place that was actively enforced, including criminal background checks on all employees, confidentiality agreements, annual training, alerts/flags on high-risk patient records, role-based access controls and a breach management plan, amongst others. As a result, the IPC found that the breach resulted from the patient services clerk deliberately disregarding her obligations and accessing records without authorization, rather than from a failure to comply with applicable legislation on CHEO’s part.

B. Adequacy of CHEO’s Response to the Privacy Breach

Subsections 12(2) and (3) of PHIPA provide that when personal health information in a custodian’s custody or control is used or disclosed without authority, the custodian must notify affected individuals and, in prescribed circumstances, report the breach to the IPC. The IPC has further interpreted this obligation as requiring an adequate response to a breach. This includes identifying the scope of the breach, containing it, notifying affected individuals, reporting to the IPC (as appropriate), investigating the cause and implementing remedial measures to reduce the risk of similar incidents.

The IPC found that CHEO’s response was adequate and reasonable in the circumstances, in that CHEO acted promptly by initiating an investigation, conducting audits and escalating the matter through its privacy breach control. The breach was further contained by suspending the patient services clerk’s access to patient records and placing her on administrative leave before her eventual termination. Further, CHEO notified the affected parties in a timely matter, reported to the IPC and implemented remedial measures, such as enhanced monitoring and staff training.

C. Administrative Penalty

Sections 61(1) and 61.1 of PHIPA allow the IPC to order an administrative penalty against a custodian or any other person that contravenes PHIPA or its regulations. Given the patient services clerk’s significant departure from privacy obligations, the IPC found that an administrative penalty was necessary to promote compliance with PHIPA and deter employees from seeking personal health information out of curiosity or outside their job duties. In setting the amount of the administrative penalty at $2,000 against the patient services clerk personally, the IPC considered that the patient services clerk received training but continued to engage in repeated violations, demonstrated limited accountability during the investigation and failed to mitigate her conduct.

Key Takeaways

The decision serves as a clear warning to custodians that privacy compliance depends on the effective operation of safeguards in practice. While the IPC found that CHEO had reasonable safeguards in the circumstances, a strong system by itself may not be sufficient to prevent misconduct and must be capable of detecting and responding to it in a timely and effective manner. Organizations that handle personal health information should ensure their privacy programs are actively implemented across the organization, with meaningful oversight, routine monitoring and clear accountability for breaches. Broadly, the decision reflects that organizations should employ an enforcement approach that prioritizes demonstrable accountability and requires custodians to show that their privacy programs are working in practice, not merely documented in policy.

For more information about privacy compliance in Canada, please contact Roland Hung or Laura Crimi of Torkin Manes’ Technology and Privacy & Data Management Groups.

The authors would like to acknowledge Torkin Manes’ Articling Student Kayla Oliveira for her invaluable contribution in drafting this bulletin.