Private information of millions in BC and Ontario wasn't protected by LifeLabs: report

After LifeLabs revealed last December that it had been the victim of a “cyber security-attack” involving “unauthorized access” to its computer systems, a joint investigation by the Information and Privacy Commissioners of Ontario and BC found that personal and private information of millions of its customers was compromised as a result.

The investigation revealed that LifeLabs failed to protect the personal health information of millions of Canadians, resulting in the 2019 privacy breach. The investigation also revealed that the company’s failure to implement reasonable safeguards to protect the personal health information of millions of Canadians violated Ontario’s health privacy law, PHIPA, and BC’s personal information protection law, PIPA.

“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law,” said Ontario’s Information and Privacy Commissioner Brian Beamish in a statement. “This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.”

Now, Beamish said he is “looking forward” to providing the public, and particularly those who were affected by the breach, with the full details of our investigation.”

• See also:
  • Hackers crack 15M LifeLabs accounts, obtain lab results and health card numbers
  • Trudeau announces further support for post-secondary students
  • Here’s what Cineplex theatres are going to look like when they reopen

The Ontario and BC offices said that through their investigation, they determined LifeLabs failed to take “reasonable steps” to protect the personal health information in its electronic systems; failed to have “adequate” information technology security policies in place; and
collected more personal health information than was “reasonably necessary.”

Now, both offices said they have ordered LifeLabs to implement a number of measures to “address these shortcomings.”

These orders, they said, include the following:

• Improving specific practices regarding information technology security.
• Formally putting in place written information practices and policies with respect to information technology security.
• To cease collecting specified information and to securely dispose of the records of that information which it has collected.
• Improving its process for notifying individuals of the specific elements of their personal health information which were the subject of the breach.
• Clarifying and formalizing its status with respect to health information custodians in Ontario with whom it has contracts to provide laboratory services.
• Consulting with independent third-party experts with respect to whether a longer period of credit monitoring service would be more appropriate in the circumstances of this breach.

The investigation “also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights,” said BC’s Information and Privacy Commissioner Michael McEvoy. “LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable.”

LifeLabs, he furthered, “exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn’t happen again.

Offices of both privacy commissioners noted that actual publication of the report is being held up “by LifeLabs’ claims that information it provided to the commissioners is privileged or otherwise confidential.”

Both BC and Ontario commissioners said they reject these claims, and they “intend to publish the report publicly, unless LifeLabs takes court action.”

LifeLabs responds

In response to the findings, LifeLabs said in a statement that it has received the report and is reviewing it.

“What we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do,” the company said. “We have made a commitment through our partnership with experts, the health care sector, governments and IT companies, to become a global leader in protecting health care data.”

LifeLabs said that on the day it announced the cyber attack last year, it “made a commitment to our customers that we would learn and work hard to earn back their trust.”

And while the company admits it “cannot change what happened,” it said that it wants to assure its customers that it has made “every effort to provide our customers with service they can rely upon. ”

LifeLabs added that if COVID-19 “has taught us anything, it’s that we need to keep innovating.”

Electronic records “are an important part of delivering great service to our customers, now more so than ever,” the company said. “We will not let cybercrime hold us back in efforts to enhance virtual and accessible health care for all of our customers. We will continue to drive collaboration across private and public sectors to deter cybercriminals and strengthen the system, to protect and serve our customers as best as possible.”

LifeLabs has been in operation for over 50 years and currently has 5,700 employees. The company said it performs over 100 million laboratory tests each year, with 20 million annual patient visits to its locations.