LifeLabs failed to protect personal health information of millions, commissioners say

LifeLabs failed to protect the personal health information of millions of Canadians, resulting in a "significant privacy breach," according to a joint investigation by Ontario and B.C.'s information and privacy commissioners.

Last December, the laboratory testing company revealed it had been the target of a large cyberattack affecting the private information of 15 million Canadians — mainly residents of B.C. and Ontario. 

The joint investigation found the company failed to implement reasonable safeguards to protect the personal health information, which violated B.C.'s personal information protection law, Ontario's health privacy law and the Personal Health Information Protection Act.

"LifeLabs' failure to properly protect the personal health information of British Columbians and Canadians is unacceptable," B.C. information and privacy commissioner Michael McEvoy said in a statement.

"LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm."

The results of the investigation also found that LifeLabs failed to have adequate technology security policies and collected more personal information than necessary.

"This investigation also reinforces the need for changes to B.C.'s laws that allow regulators to consider imposing financial penalties on companies that violate people's privacy rights," McEvoy said.

His counterpart in Ontario, Brian Beamish, said "the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks."

The Canadian laboratory testing company has been ordered by both offices to implement measures to address these shortcomings.

In a response to the investigation's findings, LifeLabs said it will continue to work to protect itself against cybercrime by making data protection and privacy central to how it operates, adding it has made a commitment to its customers to work hard to earn back their trust. 

In June, the company announced it had also hired a third-party firm to evaluate its response to the cyberattack, as well as its security systems.

Health minister confident in LifeLabs

Despite the controversy in December, B.C.'s health minister, Adrian Dix, says the province renewed its longtime contract with LifeLabs. However, Dix says the new contract includes strengthened privacy considerations and the space to incorporate the recommendations of the commissioners.

"People can be confident that significant changes have been made when they go to LifeLabs," said Dix.

"LifeLabs has been longtime partners in the [provincial healthcare] system but it's our expectation that they do better."