TORONTO -- LifeLabs failed to protect the personal health information of millions of Canadians, a joint investigation suggests.
The joint investigation by the information and privacy commissioners of Ontario and B.C. says the failure resulted in a significant privacy breach in December 2019, which affected 15 million Canadians – primarily in those two provinces.
"Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario's health privacy law," Brian Beamish, information and privacy commissioner of Ontario said in a statement.
"This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks. I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation."
Michael McEvoy, information and privacy commissioner of British Columbia, added: "LifeLabs' failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn't happen again.”
The investigation says LifeLabs failed:
To take the reasonable steps to protect confidential information in its electronic systems, violating Ontario's health privacy law, the Personal Health Information Protection Act (PHIPA), and B.C.'s personal information protection law;
to put in place the adequate information technology security policies;
by collecting more personal information than was necessary.
Publication of the report is being delayed, according to the commissioners, because LifeLabs says the information the company provided is confidential. The commissioners deny those claims and say they plan to publish the report unless LifeLabs takes court action.
While the joint inquiry found that LifeLabs took “reasonable steps” to contain and investigate the breach, the Information and Privacy Commissioner of Ontario ordered the laboratory testing provider to implement a number of additional measures to further address the shortcomings revealed in the investigation.
Their recommendations for LifeLabs include:
To improve specific practices regarding information technology security;
to formally put in place written information practices and policies with respect to information technology security;
to cease collecting specified information and to securely dispose of records of that information, which it has collected;
to improve its process for notifying individuals of the specific personal health information that was exposed in the breach;
to clarify and formalize its status with respect to health information custodians in Ontario with whom it has contracts to provide laboratory services.
Finally, the commissioners recommended that LifeLabs consult with independent third-party experts about whether offering customers a longer period of credit monitoring service would be appropriate given the circumstances of the breach.
In a statement posted online, LifeLabs said it received the report and is “reviewing” the findings.
“From the beginning, LifeLabs has committed to being open and transparent and we will continue to follow these principles as we work together on a path forward,” the statement continued.
“On the day we announced the cyber-attack last year, we made a commitment to our customers that we would learn and work hard to earn back their trust. We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon.”
LifeLabs said its made a number of changes in early June to strengthen its information security system, including:
Appointing a chief information security officer, chief privacy officer and chief information officer;
investing $50 million to improve its information security system;
deployed cyber security firms to investigate the deep web for information related to the attack;
established an Information Security Council comprised of cyber security experts;
implemented a stronger cybercrime detection technology across the company.
“What we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do,” the statement continues. “We have made a commitment through our partnership with experts, the health care sector, governments and IT companies, to become a global leader in protecting health care data.”
In the aftermath of the 2019 breach, LifeLabs offered its customers one free year of cyber protection services, including dark web monitoring and identity theft insurance.
Privacy commissioners in B.C. and Ontario were first notified of the breach in November 2019. The offices announced their joint investigation in mid-December after it was revealed the breach had affected millions of Canadians.