LifeLabs, privacy commissioners at odds over release of data breach report

LifeLabs hit last year by ransomware attack affecting millions of Canadians

Getty Images

Privacy commissioners in B.C. and Ontario remain at odds with LifeLabs LP over the public release of a report delving into a massive data breach at Canada’s largest medical testing company.

LifeLabs filed a petition in B.C. Supreme Court Monday (July 27), seeking a court order to stop the public release of the commissioners’ full report into a ransomware attack last fall that hit 15 million people.

The company is arguing the release would divulge information handed over to commissioners that it considers privileged or confidential.

“Commissioners Patricia Kosseim (Ontario) and Michael McEvoy (B.C.) maintain the view that the public release of the joint investigative report is vital to bringing to light the underlying causes of the privacy breach and rebuilding public trust by providing a transparent account of their investigation and findings,” the commissioners said Wednesday (July 29) in a statement.

The pair added they “take issue with” the claim the release of the full report would expose privileged or confidential info.

“As this matter is now before the courts, our offices will not be providing any further comment at this time,” the commissioners said.

In an email sent to BIV following an interview request, LifeLabs senior vice-president of corporate affairs Chris Carson said LifeLabs is committed to implementing the orders and recommendations from the report.

He did not address inquiries from BIV regarding why the company was opposed to releasing the report.

"From the beginning, as we responded to last year’s cyber-attack, LifeLabs has committed to the best interests of our customers and we will continue to follow these principles as we work together with the Ontario and B.C. privacy commissioners on a path forward as the report makes its way through the process/courts," Carson said in a statement.

Following last month’s release of a summary of the investigation, B.C. and Ontario information and privacy commissioners said LifeLabs has agreed to follow all the orders and recommendations made in the report.

A report summary released June 25 found LifeLabs’ actions violated B.C.’s personal information protection law, concluding the company failed to take reasonable steps to protect personal health information.

The investigation also determined LifeLabs did not have adequate security policies in place and collected more personal information than “reasonably necessary.”

The commissioners subsequently ordered LifeLabs to improve practices regarding cybersecurity, to formally put in place written cybersecurity practices and policies, to cease collecting certain information and to securely dispose of the records of information collected.

It was revealed last year cyber criminals penetrated the LifeLabs’ systems, extracting data and demanding a ransom.

LifeLabs CEO Charles Brown said the company retrieved the data by making payment.

“We did this in collaboration with experts familiar with cyberattacks and negotiations with cyber criminals,” he said in an open letter released in December 2019.

“I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyberattack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”

—With a file from Jeremy Hainsworth

Updated July 29, 2:45 p.m. with response from LifeLabs

torton@biv.com

@reporton