LifeLabs failed to protect the personal health information of millions of Canadians, resulting in a “significant privacy breach,” according to a joint investigation by Ontario and B.C.’s information and privacy commissioners.
Last December, the laboratory testing company revealed it had been the target of a large cyberattack affecting the private information of 15 million Canadians — mainly residents of B.C. and Ontario.
The joint investigation found the company failed to implement reasonable safeguards to protect the personal health information, which violated B.C.’s personal information protection law, Ontario’s health privacy law and the Personal Health Information Protection Act.
“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable,” B.C. information and privacy commissioner Michael McEvoy said in a statement.
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm.”
The results of the investigation also found that LifeLabs failed to have adequate technology security policies and collected more personal information than necessary.
“This investigation also reinforces the need for changes to B.C.’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights,” McEvoy said.
His counterpart in Ontario, Brian Beamish, said “the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.”
The Canadian laboratory testing company has been ordered by both offices to implement measures to address these shortcomings.
In a response to the investigation’s findings, LifeLabs said it will continue to work to protect itself against cybercrime by making data protection and privacy central to how it operates, adding it has made a commitment to its customers to work hard to earn back their trust.
In June, the company announced it had also hired a third-party firm to evaluate its response to the cyberattack, as well as its security systems.