Class Action News

https://vancouversun.com/business/local-business/privacy-commissioners-in-b-c-ontario-order-lifelabs-to-improve-security/wcm/7a53261d-e64c-423f-bb99-971860727867/


VICTORIA — A joint investigation by the privacy commissioners of B.C. and Ontario says LifeLabs failed to put in place reasonable safeguards to protect the personal health information of millions of Canadians.

A statement released Thursday by the commissioners says the breach last year at LifeLabs, one of Canada’s largest medical services companies, broke B.C.’s personal information protection law and Ontario’s health privacy law.

The joint investigation found LifeLabs collected more personal health information than was necessary, failed to protect that data in its electronic systems and relied on inadequate information technology security policies.

Both offices have ordered LifeLabs to address the shortcomings through measures that include improving its security systems and creating written policies and practices regarding information technology security.

LifeLabs revealed last November that hackers gained access to the personal information of up to 15 million customers, almost all in Ontario and B.C., and that the company was forced to pay a ransom to retrieve and secure the data.

The breach was determined to have affected millions of Canadians and the privacy commissioners announced their joint probe in mid-December.

Michael McEvoy, information and privacy commissioner of B.C. said the failure by LifeLabs to properly protect the personal health information is unacceptable.

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm. The orders made are aimed at making sure this doesn’t happen again.”

Ontario commissioner Brian Beamish says the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.

“I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation,” Beamish says in the statement.

LifeLabs issued a statement saying it has taken steps to accelerate its strategy to strengthen its information security systems, including appointing a chief information security officer to lead the improvements.

The firm said it has accelerated its information security management program with an initial $50-million investment and has hired a third-party service to evaluate its response.

“What we have learned from last year’s cyberattack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do,” LifeLabs says in its statement.

A proposed class-action lawsuit was filed against the company last year over the data breach. The statement of claim filed in Ontario accused the firm of negligence, breach of contract and violating their customers’ confidence as well as privacy and consumer protection laws.

1 view

https://www.ctvnews.ca/business/lifelabs-failed-to-protect-the-personal-health-information-of-millions-of-canadians-investigation-1.4999815


TORONTO -- LifeLabs failed to protect the personal health information of millions of Canadians, a joint investigation suggests.

The joint investigation by the information and privacy commissioners of Ontario and B.C. says the failure resulted in a significant privacy breach in December 2019, which affected 15 million Canadians – primarily in those two provinces.

"Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario's health privacy law," Brian Beamish, information and privacy commissioner of Ontario said in a statement.

"This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks. I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation."

Michael McEvoy, information and privacy commissioner of British Columbia, added: "LifeLabs' failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn't happen again.”

The investigation says LifeLabs failed:

  • To take the reasonable steps to protect confidential information in its electronic systems, violating Ontario's health privacy law, the Personal Health Information Protection Act (PHIPA), and B.C.'s personal information protection law;

  • to put in place the adequate information technology security policies;

  • by collecting more personal information than was necessary.

Publication of the report is being delayed, according to the commissioners, because LifeLabs says the information the company provided is confidential. The commissioners deny those claims and say they plan to publish the report unless LifeLabs takes court action.

While the joint inquiry found that LifeLabs took “reasonable steps” to contain and investigate the breach, the Information and Privacy Commissioner of Ontario ordered the laboratory testing provider to implement a number of additional measures to further address the shortcomings revealed in the investigation.

Their recommendations for LifeLabs include:

  • To improve specific practices regarding information technology security;

  • to formally put in place written information practices and policies with respect to information technology security;

  • to cease collecting specified information and to securely dispose of records of that information, which it has collected;

  • to improve its process for notifying individuals of the specific personal health information that was exposed in the breach;

  • to clarify and formalize its status with respect to health information custodians in Ontario with whom it has contracts to provide laboratory services.

Finally, the commissioners recommended that LifeLabs consult with independent third-party experts about whether offering customers a longer period of credit monitoring service would be appropriate given the circumstances of the breach.

In a statement posted online, LifeLabs said it received the report and is “reviewing” the findings.

“From the beginning, LifeLabs has committed to being open and transparent and we will continue to follow these principles as we work together on a path forward,” the statement continued.

“On the day we announced the cyber-attack last year, we made a commitment to our customers that we would learn and work hard to earn back their trust. We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon.”

LifeLabs said its made a number of changes in early June to strengthen its information security system, including:

  • Appointing a chief information security officer, chief privacy officer and chief information officer;

  • investing $50 million to improve its information security system;

  • deployed  cyber security firms to investigate the deep web for information related to the attack;

  • established an Information Security Council comprised of cyber security experts;

  • implemented a stronger cybercrime detection technology across the company.

“What we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do,” the statement continues. “We have made a commitment through our partnership with experts, the health care sector, governments and IT companies, to become a global leader in protecting health care data.”

In the aftermath of the 2019 breach, LifeLabs offered its customers one free year of cyber protection services, including dark web monitoring and identity theft insurance.

Privacy commissioners in B.C. and Ontario were first notified of the breach in November 2019. The offices announced their joint investigation in mid-December after it was revealed the breach had affected millions of Canadians.

1 view