Lab-test provider LifeLabs failed to protect the personal health information of millions of Canadians, a joint investigation by the B.C. and Ontario privacy commissioners has found.
The company failed to implement “reasonable safeguards” to protect personal information and violated privacy laws in both provinces, the joint report said, which resulted in a significant breach in 2019.
The personal information of an unknown number of the company’s 15 million Canadian customers was stolen in a data breach in late October that year, as were test results from 85,000 Ontarians.
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” B.C. privacy commissioner Michael McEvoy said in the report, released Thursday.
“The orders made are aimed at making sure this doesn’t happen again.”
The Ontario and B.C. offices determined LifeLabs failed to take reasonable steps to protect the personal information in its electronic systems and failed to have adequate information technology security policies in place.
The privacy commissioners say LifeLabs are blocking the ability to publicly release the report addressing what happened. B.C. Health Minister Adrian Dix is calling on the report to be released to the public.
“I want to see the report,” Dix said.
“I expect to see the report, I support the report’s release. I respect LifeLabs, they are key partners but we need to see the report. We need to see the report because it is important for British Columbians.”
Dix says there have been consequences for the company even if there hasn’t been any fines.
“LifeLabs is a company that has been a core partner for the province of B.C. since 1958,” Dix said.
“It is our expectation that they will do better.”
The company also collected more information than was reasonably necessary, the report said.
“This investigation also reinforces the need for changes to B.C.’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties,” McEvoy said.
LifeLabs has been ordered to improve specific practices on information technology security, cease collecting certain pieces of information, and securely dispose of the records of the information it collects.
“This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks,” said Ontario privacy commissioner Brian Beamish.
In a statement, the company said it has appointed a Chief Information Security Officer to lead a team on a program of information security improvements.
“What we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do,” the statement said.
LifeLabs is Canada’s largest provider of general health diagnostic and specialty laboratory testing services and has been in operation for more than 50 years with 5,700 employees.
It performs more than 100 million lab tests each year, with 20 million annual patient visits.