VICTORIA — One of Canada's largest medical services companies failed to put in place reasonable safeguards to protect the personal health information of millions of Canadians, say the privacy commissioners in B.C. and Ontario.
LifeLabs revealed last November that hackers gained access to the personal information of up to 15 million customers, almost all in Ontario and B.C., and that the company paid a ransom to retrieve and secure the data.
The breach was determined to have affected millions of Canadians and the privacy commissioners announced their joint investigation in mid-December.
A statement released Thursday by the commissioners says the breach last year broke Ontario's health privacy law and B.C.'s personal information protection law.
The joint investigation found LifeLabs collected more personal health information than was necessary, failed to protect that data in its electronic systems and relied on inadequate information technology security policies.
B.C.'s privacy commissioner and health minister say the investigation shows that provincial legislation should be changed to allow fines against companies that don't protect personal information.
Michael McEvoy, the information and privacy commissioner of B.C., said the size of the breach was largest he has investigated.
"This the most significant privacy breach I've ever seen in British Columbia as privacy commissioner and I think that our office has seen in many years," he said in an interview.
Both the Ontario and B.C. offices have ordered LifeLabs to address shortcomings through measures that include improving its security systems and creating written policies and practices regarding information technology security.
But McEvoy said the health care company has opposed the release of the commissioners' report on the grounds it contained confidential and privileged information.
"LifeLabs said today, in a press release, that it's been open and transparent from the outset of this matter and we hope that in the spirit of that openness and transparency, they will drop any objections they have to the full publication of our investigation report," he said.
B.C. Health Minister Adrian Dix backed that call.
"Public interest lies in more information being provided to build public confidence, and that's how you respond to these things," he said. "LifeLabs is a great company and a great partner but what this has shown is they, and all of us, have to do better."
LifeLabs says it has accelerated its strategy to strengthen its information security systems, including appointing a chief information security officer to lead the improvements.
The company said it has also made efforts to improve its information security management program with an initial $50 million investment and has hired a third-party service to evaluate its response.
"What we have learned from last year's cyberattack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do," LifeLabs said in a statement.
Dix, who hasn't seen the privacy commissioner's report, said the government made changes in its contract negotiations with LifeLabs after the data breach. Those include provisions that strengthen privacy considerations and offer a place to incorporate the recommendations from the joint investigation, he added.
McEvoy also called for his office to be given the ability to fine companies who breach privacy laws, which Dix said he supported.
Ontario commissioner Brian Beamish says the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant.
"I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation," Beamish said in a statement.
The privacy commissioners said they have given LifeLabs 14 days to take them to court to oppose the release of the report.
This report by the Canadian Press was first published June 25, 2020.
The Canadian Press