The Information and Privacy Commissioner (IPC) has completed its decision regarding the 2023 criminal ransomware cyberattack which impacted health records and information systems at five hospitals in southwestern Ontario.

Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital were all impacted by the cyberattack.

The IPC’s decision concludes the IPC’s investigation – determining no formal review or orders are required.

“We appreciate the IPC’s thorough investigation into this matter. We are specifically pleased that the IPC has acknowledged the efforts by the hospitals and TransForm Shared Service Organization to contain the breach after it occurred, as well as improvements made in our data and information protections since the time of the ransomware cyberattack,” said a joint news release from the hospitals.

“We acknowledge that the IPC has noted concern surrounding the notification of individuals whose data was encrypted by the threat actors.”

In response to this incident, hospital officials said they issued regular news releases describing the impact on data and operations, participated in multiple press conferences, and directly notified more than 300,000 individuals of the incident.

Hospital officials said they appreciate the IPC’s finding that the hospitals appropriately notified those whose personal health information was stolen during this ransomware attack.

“In an information age where cybersecurity is top of mind across multiple sectors, including public and private sector entities, the hospitals are dedicated to ensuring continued adoption of best practices in an ever-changing global cybersecurity environment,” said the news release.

Due to ongoing litigation, the hospitals are unable to comment further.