British Columbia

LifeLabs failed to protect personal health information of millions, commissioners say

LifeLabs failed to protect the personal health information of millions of Canadians, resulting in a "significant privacy breach," according to a joint investigation by Ontario and B.C.'s information and privacy commissioners.

Company ordered to implement new measures to address shortcomings after joint Ontario-B.C. investigation

The data breach of laboratory testing company LifeLabs affected around 15 million Canadians. (Cole Burston/The Canadian Press)

LifeLabs failed to protect the personal health information of millions of Canadians, resulting in a "significant privacy breach," according to a joint investigation by Ontario and B.C.'s information and privacy commissioners.

Last December, the laboratory testing company revealed it had been the target of a large cyberattack affecting the private information of 15 million Canadians — mainly residents of B.C. and Ontario. 

The joint investigation found the company failed to implement reasonable safeguards to protect the personal health information, which violated B.C.'s personal information protection law, Ontario's health privacy law and the Personal Health Information Protection Act.

"LifeLabs' failure to properly protect the personal health information of British Columbians and Canadians is unacceptable," B.C. information and privacy commissioner Michael McEvoy said in a statement.

"LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm."

The results of the investigation also found that LifeLabs failed to have adequate technology security policies and collected more personal information than necessary.

"This investigation also reinforces the need for changes to B.C.'s laws that allow regulators to consider imposing financial penalties on companies that violate people's privacy rights," McEvoy said.

His counterpart in Ontario, Brian Beamish, said "the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks."

LifeLabs says it is also working with a third-party firm to evaluate its security systems. (CBC)

The Canadian laboratory testing company has been ordered by both offices to implement measures to address these shortcomings.

In a response to the investigation's findings, LifeLabs said it will continue to work to protect itself against cybercrime by making data protection and privacy central to how it operates, adding it has made a commitment to its customers to work hard to earn back their trust. 

In June, the company announced it had also hired a third-party firm to evaluate its response to the cyberattack, as well as its security systems.

Health minister confident in LifeLabs

Despite the controversy in December, B.C.'s health minister, Adrian Dix, says the province renewed its longtime contract with LifeLabs. However, Dix says the new contract includes strengthened privacy considerations and the space to incorporate the recommendations of the commissioners.

"People can be confident that significant changes have been made when they go to LifeLabs," said Dix.

"LifeLabs has been longtime partners in the [provincial healthcare] system but it's our expectation that they do better."

Tanya Fletcher

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

now