Lab-test provider LifeLabs failed to protect the personal health information of millions of Canadians, a joint investigation by the B.C. and Ontario privacy commissioners has found.
The company failed to implement “reasonable safeguards” to protect personal information and violated privacy laws in both provinces, the joint report said, which resulted in a significant privacy breach in 2019.
The personal information of an unknown number of the company’s 15 million Canadian customers was stolen in a data breach in late October that year, as were test results from 85,000 Ontarians.
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn’t happen again,” B.C. privacy commissioner Michael McEvoy said in the report, released Thursday.
LifeLabs is Canada’s largest provider of general health diagnostic and specialty laboratory testing services and has been in operation for more than 50 years with 5,700 employees.
It performs more than 100 million lab tests each year, with 20 million annual patient visits.
The company says it has received the report regarding what it describes as a ‘cyber-attack late last year’.
In a statement, LifeLabs says it has appointed a Chief Information Security Officer, who together with an expanded team, is leading a program of information security improvements.
“Over the last several months, we have also worked to notify customers whose personal health information was impacted by the cyber-attack; as reported in our public announcement these customers were limited to Ontario residents,” reads a statement from the company.
“What we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do.”
LifeLabs is now ordered to improve specific practices regarding information technology security and formally put in place written information practices and policies with respect to information technology security.
The joint investigation started in December 2019. It also found LifeLabs collected more personal health information than was reasonably necessary.
The Ontario and B.C. offices determined LifeLabs failed to take reasonable steps to protect the personal health information in its electronic systems and failed to have adequate information technology security policies in place.
“This investigation also reinforces the need for changes to B.C.’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties,” McEvoy said.
Both offices have ordered LifeLabs to implement a number of measures to address these shortcomings.
The privacy commissioners are also requiring the company cease collecting specified information and to securely dispose of the records of that information which it has collected.
© 2020 Global News, a division of Corus Entertainment Inc.