VICTORIA (NEWS 1130 — A healthcare company hit by a massive privacy breach failed to take reasonable steps to protect the personal information of millions of Canadians, according to a report released Thursday following a joint investigation by the information and privacy commissioners of B.C. and Ontario.
The joint investigation revealed that LifeLab’s failure to implement reasonable safeguards violated Ontario’s health privacy law, the Personal Health Information Protection Act, and B.C.’s personal information protection law.
Both offices have ordered LifeLabs — which performs diagnostic, naturopathic, and genetic tests — to put in place a number of measures so something similar doesn’t happen again.
Data files of 15 million people — including addresses, birth dates and log-ins — were accessed by criminals as part of the breach.
The company most of us use to collect our most personal information, @LifeLabs, getting a scathing rebuke from BC and Ontario privacy commissioners. The investigation into a massive data breach last winter now out.#bcpoli @bcinfoprivacy 1/
— LizaYuzda (@LizaYuzda) June 25, 2020
LifeLabs knew about the security breach in October 2019, but didn’t tell the public until December. The provincial government was notified Oct. 28 that hackers had accessed private test results from 2016 and earlier, belonging to customers in B.C. and Ontario. The Office of the Information and Privacy Commissioner was notified Nov. 1.
The Ontario and B.C. offices determined the company:
- failed to take reasonable steps to protect the personal health information in its electronic systems;
- failed to have adequate information technology security policies in place;
- and collected more personal health information than was reasonably necessary.
Publication of the report, however, is being held up by LifeLabs’ claims that information it provided to the commissioners is privileged or otherwise confidential.
The commissioners reject such claims.
“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable,” Michael McEvoy, information and privacy commissioner of B.C., says in a release.
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn’t happen again,” he adds.
“This investigation also reinforces the need for changes to B.C.’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”
Brian Beamish, information and privacy commissioner of Ontario, says the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against such attacks.
“I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation,” he says.
On March 25, the Ontario government amended the province’s health privacy law. Once implemented, Ontario will be the first province in Canada to give the information and privacy commissioner the power to levy monetary penalties against individuals and companies that contravene its privacy laws.
LifeLabs said previously it paid a ransom to the hackers in order to secure the data, and engaged experts to make sure customers didn’t have their identities stolen.