sa国际传媒

Skip to content
Join our Newsletter

LifeLabs ordered to improve security after privacy breach

TORONTO 鈥 One of sa国际传媒鈥檚 largest medical services companies failed to put in place reasonable safeguards to protect the personal health information of millions of Canadians, say the privacy commissioners in sa国际传媒 and Ontario.
B1-06262020-labs-CLR.jpg
A LifeLabs sign at one of its Toronto locations.

TORONTO 鈥 One of sa国际传媒鈥檚 largest medical services companies failed to put in place reasonable safeguards to protect the personal health information of millions of Canadians, say the privacy commissioners in sa国际传媒 and Ontario.

LifeLabs revealed last November that hackers gained access to the personal information of up to 15 million customers, almost all in Ontario and sa国际传媒, and that the company paid a ransom to retrieve and secure the data.

The breach was determined to have affected millions of Canadians and the privacy commissioners announced their joint investigation in mid-December.

A statement released Thursday by the commissioners says the breach last year broke Ontario鈥檚 health privacy law and sa国际传媒鈥檚 personal information protection law.

The joint investigation found LifeLabs collected more personal health information than was necessary, failed to protect that data in its electronic systems and relied on inadequate information technology security policies.

sa国际传媒鈥檚 privacy commissioner and health minister say the investigation shows that provincial legislation should be changed to allow fines against companies that don鈥檛 protect personal information.

Michael McEvoy, the information and privacy commissioner of sa国际传媒, said the size of the breach was largest he has investigated.

鈥淭his the most significant privacy breach I鈥檝e ever seen in British Columbia as privacy commissioner and I think that our office has seen in many years,鈥 he said in an interview.

Both the Ontario and sa国际传媒 offices have ordered LifeLabs to address shortcomings through measures that include improving its security systems and creating written policies and practices regarding information technology security.

But McEvoy said the health care company has opposed the release of the commissioners鈥 report on the grounds it contained confidential and privileged information.

鈥淟ifeLabs said today, in a press release, that it鈥檚 been open and transparent from the outset of this matter and we hope that in the spirit of that openness and transparency, they will drop any objections they have to the full publication of our investigation report,鈥 he said.

sa国际传媒 Health Minister Adrian Dix backed that call.

鈥淧ublic interest lies in more information being provided to build public confidence, and that鈥檚 how you respond to these things,鈥 he said. 鈥淟ifeLabs is a great company and a great partner but what this has shown is they, and all of us, have to do better.鈥

LifeLabs says it has accelerated its strategy to strengthen its information security systems, including appointing a chief information security officer to lead the improvements.

The company said it has also made efforts to improve its information security management program with an initial $50 million investment and has hired a third-party service to evaluate its response.

鈥淲hat we have learned from last year鈥檚 cyberattack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do,鈥 LifeLabs said in a statement.

Dix, who hasn鈥檛 seen the privacy commissioners鈥 report, said the government made changes in its contract negotiations with LifeLabs after the data breach. Those include provisions that strengthen privacy considerations and offer a place to incorporate the recommendations from the joint investigation, he said.