LifeLabs failed to protect personal information in data breach, investigation finds
VANCOUVER -- After a major data breach last year, an investigation by B.C.'s privacy commissioner found LifeLabs failed to protect the personal health information of millions of Canadians.
Last November, a data breach affected systems containing information of about 15 million customers – including up to five million in B.C. The public was notified of the breach in December.
The information systems contained client data including names, addresses, emails, customer logins and passwords, health card numbers and lab tests.
A joint investigation conducted by information and privacy commissioners in both B.C. and Ontario has since found the company didn't implement "reasonable safeguards" to protect that personal information and "collected more personal health information than was reasonably necessary."
B.C.'s health minister responded to the findings Thursday, saying the province has renewed its contract with LifeLabs and that it includes provisions that "strengthen privacy considerations."
"I think people can be confident that significant changes have been made when they go to LifeLabs," Adrian Dix said, adding that the province needs to see the commissioner's report to know what other steps should be taken.
The B.C. and Ontario privacy commissioners said they plan to publish their findings publicly, unless LifeLabs takes action in court. The health minister called on LifeLabs to not stand in the way of the report being released.
During his briefing, Dix also said he thinks it's "fair to say harm was done," and that LifeLabs is a major part of B.C.'s public health-care system.
"LifeLabs is a great company and a great partner but what this has shown is that they, and all of us, have to do better," he said. "I think improvements have been made commensurate with the threat."
In a statement, LifeLabs reiterated the steps it took when the data breach was first announced.
"On the day we announced the cyber-attack last year, we made a commitment to our customers that we would learn and work hard to earn back their trust," the statement said.
"We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon."
Some of those efforts included appointing a chief information security officer, enhancing its information security management program through a $50-million investment and engaging a third-party professional services firm to evaluate the company's response to the breach.
"What we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do," the statement said.
Michael McEvoy, information and privacy commissioner of B.C., said in a statement about the investigation that the breach was "unacceptable."
"LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm," he said. "The orders made are aimed at making sure this doesn't happen again."
McEvoy also called for B.C.'s privacy rights laws to be updated.
"This investigation also reinforces the need for changes to B.C.'s laws that allow regulators to consider imposing financial penalties on companies that violate people's privacy rights," he said.
"This is the very kind of case where my office would have considered levying penalties."
Responding to McEvoy's suggestions, Dix said adding provisions for fines is "a good idea."