B.C. health minister wants to see LifeLabs report, supports fines

VICTORIA (NEWS 1130) — The provincial government wants to see a report detailing how LifeLabs failed to take reasonable steps to protect the personal health information of millions of Canadians from a massive privacy breach.

Results of a joint investigation released Thursday show LifeLabs failed to implement reasonable safeguards, violating Ontario’s health privacy law, the Personal Health Information Protection Act, and B.C.’s personal information protection law.

The information and privacy commissioners of B.C. and Ontario both ordered LifeLabs — which performs diagnostic, naturopathic, and genetic tests — to put in place a number of measures so something similar doesn’t happen again.

Publication of the report, however, is being held up by LifeLabs’ claims that information it provided to the commissioners is privileged or otherwise confidential.

The commissioners rejected such claims.

“I’m the minister of health and I’m a citizen of B.C., and I want to see the report,” Health Minister Adrian Dix said Thursday. “We know that this is a serious issue that every health system is facing right now, that health systems all over the world are under constant attack, daily attack, minute-by-minute attack. And so this situation occurred in B.C., as you recall.”

The company most of us use to collect our most personal information, @LifeLabs, getting a scathing rebuke from BC and Ontario privacy commissioners. The investigation into a massive data breach last winter now out.#bcpoli @bcinfoprivacy 1/

— LizaYuzda (@LizaYuzda) June 25, 2020

 

Data files of 15 million people — including addresses, birth dates and log-ins — were accessed by criminals as part of the breach.

LifeLabs knew about the security breach in October 2019, but didn’t tell the public until December. The provincial government was notified Oct. 28 that hackers had accessed private test results from 2016 and earlier, belonging to customers in B.C. and Ontario. The Office of the Information and Privacy Commissioner was notified Nov. 1.

Michael McEvoy, information and privacy commissioner of B.C., was notified and committed to writing a report on the incident, Dix said.

“Since that time, changes have been made both in our contract negotiations with LifeLabs and by LifeLabs to address the specific circumstances that occurred in 2019,” Dix added.

“But it’s also important to recognize that the people who are trying to do these things are getting better every day, and that we have to get better every day. And so that’s why we need to see the report. I expect to see the report.”

RELATED:

• LifeLabs failed to reasonably protect health information of millions of Canadians: report

• LifeLabs told B.C. gov’t about breach in October: health minister

Dix said LifeLabs has been around as a company, in various forms, since 1958 and associated with public health care since the beginning of Medicare in B.C.

“So this is a long-standing relationship and B.C. We have great respect for the company, but we need to see the report.”

Q- why no consequences for the company?@adriandix There have been consequences – changes to address privacy in contract, changes made at company level.
Fines he says again sound like a good idea… select standing committee will look at this.#bcpoli @NEWS1130

— LizaYuzda (@LizaYuzda) June 25, 2020

Dix said regarding consequences, LifeLabs has made changes to address privacy issues as part of its contract. He also said McEvoy has recommended fines, which a select standing committee will review.

“I agree with Mr. McEvoy that there aren’t provisions for fines in the act and that’s a good idea,” Dix said.

“So that’s something to be considered, but what the main thing to be considered, it seems to me, is the protection of personal information.”

LifeLabs issued a statement in response.

“On the day we announced the cyber-attack last year, we made a commitment to our customers that we would learn and work hard to earn back their trust. We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon,” it reads.

“What we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do.”