The privacy commissioners in Ontario and British Columbia have concluded LifeLabs, Canada’s largest laboratory-testing company, violated the privacy of millions of Canadians after lapses that created the conditions for the breach.
The findings, released on Thursday, said the company’s failure to implement reasonable safeguards to protect the personal health information resulted in a major cyber attack late last year, a violation of privacy laws in both provinces.
The report notes the company failed to take reasonable steps to protect the personal health information in its electronic systems, failed to have adequate information-technology security policies in place, and collected more personal health information than was reasonably necessary.
The cyber attack last October affected up to 15 million customers, almost all of them in Ontario and B.C. The personal information stolen from the lab-test provider could include a customer’s name, address, e-mail, login, passwords, date of birth and health-card number.
In a statement issued Thursday, the company said it has taken a number of steps to enhance and strengthen its information security systems, including appointing a chief information security officer to lead the improvements, and implementing strengthened cybercrime-detection technology across the organization.
“From the beginning, LifeLabs has committed to being open and transparent and we will continue to follow these principles as we work together on a path forward,” the statement reads.
“We made a commitment to our customers that we would learn and work hard to earn back their trust.”
The full report of the investigation has yet to be made public: Ontario Information and Privacy Commissioner Brian Beamish said both Ontario and B.C. are “eager” to release the report publicly, but he said LifeLabs is claiming that key elements are confidential or covered by solicitor-client privilege.
“We strongly disagree. We have provided LifeLabs with detailed reasons why we reject their claim. Based on LifeLabs’s position throughout this investigation, we fully expect them to bring us to court to prevent us from publishing the report,” Mr. Beamish said in a statement.
Michael McEvoy, the Information and Privacy Commissioner for B.C., said the company should adhere to its promise to the public as being “open and transparent.”
“We hope that they will, in fact, do so, and raise no objection to this report being made public within the next few days,” he said in an interview.
B.C. Health Minister Adrian Dix called on LifeLabs, a major contractor to his ministry, to abandon its objections to releasing the report.
“I want to see the report,” he told reporters.
“We know that this is a serious issue that every health system is facing right now – health systems all over the world are under, I’d say, constant attack.”
The B.C. Ministry of Health overhauled its contract with LifeLabs after the breach occurred. The new contract includes provisions that strengthen the privacy considerations, Mr. Dix said, and will incorporate the recommendations with the information and privacy commissioners of Ontario and B.C.
“So I think people can be confident that significant changes have been made when they go to LifeLabs,” he said.
He added that he is not aware of any indication that the leaked information was misused, but he said the breach undermined public confidence.
Currently, B.C.‘s privacy commissioner does not have the power to issue financial penalties on companies that violate people’s privacy rights, but Mr. McEvoy said in the joint statement that the investigation also reinforces the need for changes to B.C.‘s laws that allow regulators to have such ability.
Mr. Dix said he is supportive of a proposal to give the province’s privacy watchdog the power, but said that decision will be part of a larger review of the Privacy Act which is still taking place.
Recent amendments to Ontario’s health privacy legislation passed in March give that province’s privacy commissioner the power to levy monetary penalties – at his discretion – for privacy breaches. However, the regulations have yet to be developed.
“If they were in effect, this is definitely a case where I would consider such a penalty,” Mr. Beamish said.
Health Minister Christine Elliott’s office said the province is engaged with stakeholders on the regulations but there is no date on when they will be introduced.
“We thank the Information and Privacy Commissioner for their work and have every expectation that LifeLabs will implement the recommendations,” spokeswoman Hayley Chazan said.
In December, a proposed class-action lawsuit was filed against LifeLabs over the breach. In an unproven statement of claim filed in Ontario Superior Court, lawyers Peter Waldmann and Andrew Stein accuse LifeLabs of negligence, breach of contract and violating their customers’ confidence, as well as privacy and consumer protection laws.
Mr. Waldmann said the findings of the joint investigation “certainly makes the case a lot stronger.”
“The investigation presumably will help us find out what happened, which is the only reason I would think they would not want to disclose it, because it’s embarrassing,” he said.
He said 13 law firms across the country have brought class actions forward and a court will decide which case will go ahead.