Privacy commissioners in B.C. and Ontario say it will take court action to stop them from publishing a full report on the failures of the country’s largest medical testing company to protect the personal data of millions of Canadians.
LifeLabs LP was hit by a ransomware attack last fall, impacting 15 million people.
"LifeLabs' failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm,” B.C. information and privacy commissioner (IPC) Michael McEvoy said in a statement.
"This investigation also reinforces the need for changes to B.C.'s laws that allow regulators to consider imposing financial penalties on companies that violate people's privacy rights. This is the very kind of case where my office would have considered levying penalties."
The Ontario government amended the province’s health privacy law in March, allowing it to fine individuals and companies that violate its Personal Health Information Protection Act.
A joint investigation between the B.C. and Ontario IPCs found LifeLabs’ actions violated B.C.’s personal information protection law, concluding the company failed to take reasonable steps to protect personal health information.
The IPC investigation also determined LifeLabs did not have adequate security policies in place and collected more personal information than “reasonably necessary.”
Meanwhile, commissioners say publication of their full report is being held up by LifeLabs’ claims that information provided to the commissioners is privileged or otherwise confidential.
“The commissioners reject these claims. The Ontario IPC and B.C. OIPC intend to publish the report publicly, unless Lifelabs takes court action,” a June 25 statement said.
LifeLabs did not immediately respond to an interview request from Business in Vancouver.
The commissioners revealed last year cyber criminals penetrated the LifeLabs’ systems, extracting data and demanding a ransom.
LifeLabs CEO Charles Brown said the company retrieved the data by making payment.
“We did this in collaboration with experts familiar with cyberattacks and negotiations with cyber criminals,” he said in an open letter released in December 2019.
“I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyberattack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”
LifeLabs has “for the most part” taken reasonable steps to address shortcomings in its security measures, according to the commissioners.
—With files from Jeremy Hainsworth
Updated June 25, 5:12 p.m.:
LifeLabs did not address questions regarding accusations from privacy commissioners the company was holding up the release of the report and did not acknowledge an interview request from BIV.
But in a statement posted to its website the company confirmed it has received the joint investigation report.
“We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon,” the company said in a statement.
LifeLabs said it now employs a chief information security officer, a chief privacy officer and chief information officer.