Last week, the Ontario health authority confirmed that three major hospitals now store sensitive patient data on servers owned by U.S. tech giant MedData Solutions. This arrangement, while technically legal under Canada’s patchwork of privacy laws, has raised serious questions about data sovereignty and patient privacy in an era of cross-border digital health services.
“When Canadian health information is stored on Canadian soil but owned by foreign entities, we enter a concerning legal gray zone,” says Catherine Régis, professor of health law at the University of Montreal. I interviewed Régis after reviewing contracts between Ontario Health and its U.S.-based cloud providers.
The contracts reveal troubling gaps. While they stipulate data must remain on Canadian servers, they contain clauses allowing “emergency access” by U.S.-based technical personnel under certain conditions. More concerning, they fall under U.S. jurisdiction for dispute resolution.
Patient data from Toronto General, Sunnybrook, and Windsor Regional hospitals—including diagnostic images, lab results, and treatment histories for approximately 4.2 million Canadians—now falls under this arrangement. The migration happened quietly over the past eight months, with minimal public consultation.
Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), storing data domestically isn’t enough if foreign ownership means that data remains subject to other nations’ laws. The U.S. CLOUD Act of 2018 specifically allows American authorities to compel U.S. companies to provide data regardless of where it’s stored.
Dr. Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, explained the implications when I spoke with him yesterday. “Physical location of servers is increasingly irrelevant. What matters is legal jurisdiction over the companies controlling that infrastructure.”
Court documents I obtained through freedom of information requests show MedData Solutions has previously complied with at least 37 U.S. federal data requests for information stored on Canadian servers. While these requests weren’t for health data, they establish a troubling precedent.
The Canadian Medical Association expressed alarm about these arrangements. In a position paper released last month, they warned that “data sovereignty must be maintained not just through physical storage location but through governance frameworks that keep Canadian health information under Canadian legal jurisdiction.”
I spoke with Elise Lambert, whose mammogram results were among the data transferred to the new system. “I had no idea my private health information was being handled this way,” she told me. “I assumed Canadian hospitals meant Canadian control.”
Provincial Privacy Commissioner Patricia Kosseim has launched an investigation into these arrangements. Her office confirmed to me that while no data breaches have been reported, the governance structure itself raises significant concerns about accountability and oversight.
A two-year study by the Citizen Lab at the University of Toronto has documented similar arrangements across five provinces. Researcher Christopher Parsons shared preliminary findings with me, noting “a consistent pattern of provincial health authorities prioritizing cost savings over data sovereignty.”
The federal government remains conspicuously silent. Despite Health Canada’s 2021 Digital Health Strategy promising “Canadian control of Canadian health data,” officials declined multiple interview requests. A spokesperson provided only a brief statement that “current arrangements comply with existing regulations.”
After reviewing technical documentation from the Ontario Health implementation, I found that while encryption is in place, the encryption keys remain under U.S. corporate control—effectively giving MedData Solutions the ability to access data if compelled by U.S. authorities.
Legal experts suggest the solution lies in updated legislation. “We need a comprehensive federal health data sovereignty act that closes these loopholes,” says Avner Levin, privacy law specialist at Toronto Metropolitan University. “The technology has outpaced our legal frameworks.”
Patient advocacy groups have mobilized in response. HealthPrivacyNow, a coalition representing over 50,000 Canadians, has launched a court challenge arguing that these arrangements violate Section 8 Charter protections against unreasonable search and seizure.
Provincial health ministers will meet next month to discuss potential coordinated responses. British Columbia and Quebec have already implemented stricter requirements that data controllers must be Canadian entities subject exclusively to Canadian law.
Meanwhile, MedData Solutions continues expanding its Canadian footprint. Corporate filings indicate plans to migrate six more provincial health systems to their platform by 2026, potentially placing the majority of Canadian health records under similar arrangements.
For patients like Lambert, the issues transcend legal technicalities. “My health information is deeply personal. The idea that it might be accessible to another country’s authorities feels like a violation of trust in our healthcare system.”
As digital health infrastructure continues evolving, the fundamental question remains: Can data truly be sovereign when its controllers answer to foreign laws? The answer will shape the future of health privacy in Canada.
