Ontario IPC and BC OIPC find LifeLabs failed to protect personal information in 2019 breach

Canadian laboratory testing company found in violation of privacy laws

TORONTO, June 25, 2020 /CNW/ - A joint investigation by the Information and Privacy Commissioners of Ontario and BC has found that LifeLabs failed to protect the personal health information of millions of Canadians resulting in a significant privacy breach in 2019.

The joint investigation revealed that the company's failure to implement reasonable safeguards to protect the personal health information of millions of Canadians violated Ontario's health privacy law, PHIPA, and BC's personal information protection law, PIPA.

The Ontario and BC offices determined the company:

• failed to take reasonable steps to protect the personal health information in its electronic systems;
• failed to have adequate information technology security policies in place; and
• collected more personal health information than was reasonably necessary.

Both offices have ordered LifeLabs to implement a number of measures (summarized in the accompanying backgrounder) to address these shortcomings.

Publication of the report is being held up by LifeLabs' claims that information it provided to the commissioners is privileged or otherwise confidential. The commissioners reject these claims. The IPC and BC OIPC intend to publish the report publicly, unless Lifelabs takes court action.

"Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario's health privacy law. This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.  I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation."

— Brian Beamish, Information and Privacy Commissioner of Ontario

"LifeLabs' failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn't happen again.

This investigation also reinforces the need for changes to BC's laws that allow regulators to consider imposing financial penalties on companies that violate people's privacy rights.  This is the very kind of case where my office would have considered levying penalties."

— Michael McEvoy, Information and Privacy Commissioner of British Columbia

On March 25, 2020, the Ontario government amended Ontario's health privacy law. Once implemented, Ontario will be the first province in Canada to give the Information and Privacy Commissioner the power to levy monetary penalties against individuals and companies that contravene PHIPA.

• Background:
• Backgrounder
• LifeLabs Privacy Breach – December 17, 2019

Backgrounder

• LifeLabs is Canada's largest provider of general health diagnostic and specialty laboratory testing services. It has been in operation for over 50 years and currently has 5,700 employees. It provides a full range of outpatient laboratory services and other testing services, including genetics and naturopathic testing.
  
  
• LifeLabs performs over 100 million laboratory tests each year, with 20 million annual patient visits to its locations. Its website hosts Canada's largest online patient portal, on which more than 2.5 million individuals access their laboratory results each year.
  
  
• On November 1 and 5, 2019, respectively, LifeLabs notified the Office of the Information and Privacy Commissioner of Ontario (Ontario IPC) and the Office of the Information and Privacy Commissioner for British Columbia (BC OIPC) of a potential privacy breach under Ontario's Personal Health Information Protection Act (PHIPA) and British Columbia's Personal Information Protection Act (PIPA).
  
  
• LifeLabs advised that on October 28, 2019, it detected a cyberattack on its computer systems. On December 17, 2019, the Ontario and BC privacy commissioners announced their joint investigation into the breach, which affected millions of Canadians.
  
  
• The Ontario IPC and BC OIPC have not published their investigation report because LifeLabs has claimed that some of the information contained in the report is privileged or confidential and objected to the release of that information.
  
  
• The Ontario IPC and BC IPC have made a finding that LifeLabs has not proven these claims and they intend to issue the report publicly unless LifeLabs decides to try to get a court ruling that the information is privileged or confidential.

Findings

Some of the findings made by the commissioners in the investigation of the LifeLabs breach were¹:

• LifeLabs failed to take reasonable steps to safeguard personal information and personal health information.
  
  
• LifeLabs did not have adequate information technology security policies and information practices in place.
  
  
• In a specific instance, LifeLabs collected more information than necessary.
  
  
• LifeLabs took reasonable steps to contain and investigate the breach.
  
  
• Since the breach, LifeLabs has, for the most part taken reasonable steps to address the shortcomings in its information technology security measures. However, additional steps are required as reflected in the orders below.

The Ontario IPC made the following additional findings in this investigation:

• While LifeLabs has largely taken adequate steps to notify affected individuals of the breach, its process for notifying individuals of which specific elements of their own health information were compromised was inadequate. 
  
  
• The terms under which LifeLabs provides laboratory services to other health information custodians require clarification.

Given these findings, the commissioners issued the following orders to LifeLabs:

• LifeLabs is ordered to improve specific practices regarding information technology security.
  
  
• LifeLabs is ordered to formally put in place written information practices and policies with respect to information technology security.
  
  
• LifeLabs is ordered to cease collecting specified information and to securely dispose of the records of that information which it has collected.

The Ontario IPC issued the following additional orders:

• LifeLabs is ordered to improve its process for notifying individuals of the specific elements of their personal health information which were the subject of the breach.
  
  
• LifeLabs is ordered to clarify and formalize its status with respect to health information custodians in Ontario with whom it has contracts to provide laboratory services.

In addition, the commissioners recommended that:

• LifeLabs consult with independent third-party experts with respect to whether a longer period of credit monitoring service would be more appropriate in the circumstances of this breach.

___________________________
¹ In the following, some of the findings and orders are paraphrased and details omitted for confidentiality reasons.

SOURCE Office of the Information and Privacy Commissioner/Ontario

Media contact: Jason Papadimos (Ontario IPC), [email protected], 416-326-3965; Michelle Mitchell (BC OIPC), [email protected], 250-217-7872

Related Links

www.ipc.on.ca