Executive Summary: Key Legal and Evidentiary Issues

• The hospital sought a sealing order to redact cybersecurity information from the judicial review record concerning a ransomware attack.

• Central issue was whether disclosure of sensitive security details risked public harm outweighing the open court principle.

• The IPCO argued that the redactions were overbroad and not legally justified under the Courts of Justice Act.

• The court assessed if the hospital’s request met the Dagenais/Mentuck test for limiting public access to court records.

• Evidence included expert affidavits detailing the risks of re-identification and potential exploitation by malicious actors.

• The court granted a limited sealing order, balancing transparency with the need to protect hospital infrastructure and patient safety.

Background and context of the judicial review

The case arose from a judicial review of a decision by the Information and Privacy Commissioner of Ontario (IPCO) under the Personal Health Information Protection Act (PHIPA). The matter stemmed from a 2022 ransomware attack on the hospital, which compromised aspects of its digital infrastructure. As part of the investigation, IPCO reviewed the hospital’s response and internal reports and ultimately ordered the release of certain documents in response to a freedom of information request.

The hospital then brought a judicial review application challenging IPCO’s order. As part of the proceedings, it moved for a sealing order to redact portions of the court record containing sensitive cybersecurity details. These included internal strategies, systems vulnerabilities, and information about how the attack was detected and remediated.

Arguments for and against redactions

The hospital submitted that disclosing this information would endanger its ability to protect patient data and hospital operations, especially as health care institutions are regular targets of cyberattacks. It relied on expert affidavits from cybersecurity professionals who explained how bad actors could exploit disclosed vulnerabilities and security measures, even if described in general terms.

The IPCO opposed the motion, arguing that the redactions were excessive and that much of the requested sealed material was general or already known. It asserted that the public interest in open court proceedings demanded more transparency and that the hospital had not met the high bar required under s. 137(2) of the Courts of Justice Act and the Dagenais/Mentuck test, which requires a real and substantial risk to the administration of justice or a serious risk of harm to an important public interest.

Court’s analysis and balancing test

Justice Cavanagh applied the Dagenais/Mentuck framework, which requires that a sealing order must (1) be necessary to prevent a serious risk to an important public interest, and (2) be proportionate in balancing the competing interest of public access. The court recognized the strong presumption in favour of open justice but found that some information in the records, if released, could be pieced together to reveal operational vulnerabilities.

The judge was persuaded by the affidavits that even partial disclosure of digital system configurations, remediation strategies, or forensic reports could materially assist future attackers. The fact that the hospital had already suffered a ransomware attack made the potential risk more concrete and immediate.

Result and scope of sealing order

The court granted a limited sealing order, allowing redactions only to narrowly defined portions of the record—specifically, information that would reveal sensitive cybersecurity strategies, system structures, and investigative methods. The ruling emphasized that the order did not extend to generic information, policy positions, or any findings that could reasonably be shared without endangering patient safety or system integrity.

The decision illustrates how courts may protect institutional cybersecurity information in litigation involving regulatory decisions, provided the evidence of harm is precise, credible, and limited in scope.

Conclusion and outcome

The Ontario Superior Court of Justice granted a narrow sealing order in favour of The Hospital for Sick Children, recognizing that disclosing certain cybersecurity-related material would present a real and substantial risk to hospital security and public safety. The rest of the judicial review proceeded with a presumptive openness, balancing transparency with protection against potential cyber threats. The Hospital for Sick Children (Applicant) successfully obtained a sealing order over limited cybersecurity information in the court record.