LifeLabs failed to protect millions of Canadians’ personal health information, according to the Information and Privacy Commissioners of B.C. (OIPC) and Ontario (IPC), resulting in a “significant” data breach last fall.
The B.C. OIPC and Ontario IPC launched a joint investigation into LifeLabs’ 2019 privacy breach, which exposed the personal data of 15 million LifeLabs patients, mainly in B.C. and Ontario – including addresses, customer logins and passwords, birthdays, lab results and health care numbers.
LifeLabs – a healthcare and laboratory testing company – violated B.C.’s personal information protection law, PIPA, and Ontario’s health privacy law, PHIPA and failed to implement “reasonable safeguards” to protect patient information.
In particular, the B.C. and Ontario offices found that LifeLabs:
- Failed to take reasonable steps to protect the personal health information in its electronic systems;
- Failed to have adequate information technology security policies in place; and
- Collected more personal health information than was reasonable necessary.
However, the company did take reasonable steps to contain and investigate the breach, according to the investigation findings.
LifeLabs – which has six locations in Richmond – notified the B.C. OIPC and Ontario IPC of the cyber-attack Nov. 1 and Nov. 5, 2019. The company became aware of the cyberattack Oct. 28, 2019.
The company then advised the offices that cyber criminals had extracted patient data and demanded a ransom.
“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable,” said Michael McEvoy, B.C.’s information and privacy commissioner, in a statement.
The Ontario commissioner ordered LifeLabs to implement a number of measures, for example, improving specific practices regarding information technology security and improve its process for notifying individuals of the specific elements of their personal health information affected by the breach.
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm. The orders made are aimed at making sure this doesn’t happen again,” said McEvoy.
“This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.”
LifeLabs performs over 100 million laboratory tests each year, and its website hosts Canada’s largest online patient portal, through which more than 2.5 million individuals accesses their lab results each year.
The release of the full investigation report, according to the B.C. OIPC and Ontario IPC, is being held up by “LifeLabs’ claims that information it provided to the commissioners is privileged or otherwise confidential.”
However, the commissioners say they reject those claims and intend to make the report available to the public unless LifeLabs takes court action.