Commissioners publish 2020 investigation report into LifeLabs privacy breach affecting millions of Canadians

The report was published after the Ontario Court of Appeal dismissed Lifelabs' bid to block public release of the report

TORONTO, Nov. 25, 2024 /CNW/ - Ontario and British Columbia Information and Privacy Commissioners have published the 2020 investigation report into the LifeLabs privacy breach affecting millions of Canadians, after the Ontario Court of Appeal dismissed LifeLabs' motion for leave to appeal the Divisional Court's decision in LifeLabs LP v. Information and Privacy Commissioner of Ontario (IPC). 

The joint investigation report concerning the 2019 cyberattack on LifeLabs' computer systems was completed in June 2020. The investigation revealed that LifeLabs failed to comply with its obligations under Ontario's Personal Health Information Protection Act and British Columbia's Personal Information Protection Act. Specifically, LifeLabs did not take reasonable steps to safeguard the personal information and personal health information of millions of Canadians.

The Office of the Information and Privacy Commissioner for Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) issued several orders and a recommendation to address these failures, all of which LifeLabs complied with. However, LifeLabs claimed that the joint investigation report could not be released to the public as it contained solicitor-client and litigation-privileged information. In 2020, the IPC and OIPC found that LifeLabs had not provided sufficient evidence to establish that the facts contained in the joint investigation report were protected by either privilege.

LifeLabs subsequently sought judicial review of the IPC and OIPC's decision on its privilege claims, but the Divisional Court dismissed their application. The Court upheld the IPC and OIPC's findings, ruling that privilege did not protect the facts related to the cyberattack, including those facts that must be determined or produced as part of LifeLabs' legal obligations to investigate and remediate the privacy breach. 

LifeLabs then sought leave to appeal the Divisional Court's decision, which the Ontario Court of Appeal has now dismissed.

"Personal health information is particularly sensitive and privacy breaches can have devastating impacts for individuals, ultimately undermining trust in Ontario's health care system," said Patricia Kosseim, Information and Privacy Commissioner of Ontario. "I am very pleased with the court's decision that allows the public to be made aware of the circumstances of this cyberattack and provides a transparent account of our investigation findings to help restore public trust in the oversight mechanisms designed to hold organizations accountable. Equally critical is for other health information custodians to learn from the hard-won lessons of their peers so they can enhance their own security safeguards and raise the cyber resilience of the sector as a whole."

"The road to accountability and transparency has been too long for the millions of British Columbians and people across the country who were victims of the 2019 LifeLabs cyberattack," said Michael Harvey, Information and Privacy Commissioner for British Columbia. "LifeLabs' failure to put in place adequate safeguards to protect against this attack violated patients' trust, and the risk it exposed them to was unacceptable. When this happens, it is important to learn from past mistakes so others can prevent future breaches from happening. But to learn from lessons, we need to share them. For four years, LifeLabs has contested the publication of this report in the courts. I'm pleased with this ruling that affirms overly broad claims of privilege cannot be used to obstruct the vital role of our offices in ensuring public accountability, transparency, and education."

Resources:
June 25, 2020 IPC and OIPC Joint Investigation Report
IPC and OIPC summary report (2020)

X: @BCInfoPrivacy

LinkedIn: https://www.linkedin.com/company/office-of-the-information-and-privacy-commissioner-for-british-columbia/

SOURCE Office of the Information and Privacy Commissioner/Ontario

Media Contacts: Office of the Information and Privacy Commissioner of Ontario, [email protected]; Michelle Mitchell | Director of Communications, Office of the Information and Privacy Commissioner for BC, 250 217-7872 | [email protected]