While the fallout from the LifeLabs privacy breach continues to reverberate in the form of proposed class action lawsuits and patients still trying to determine if their personal medical information was accessed, the Office of the Information and Privacy Commissioner of B.C. has confirmed there is no legislation that mandates private information held by a company be encrypted.
“Neither the Freedom of Information and Protection of Personal Information Act (FIPPA), which applies to public bodies, nor the Personal Information Protection Act, (PIPA), which applies to private organizations, specifically mention encryption,” the office confirmed in an email response to a query from KTW.
Personal information of up to 15-million LifeLabs patients, primarily in B.C. and Ontario, may have been accessed during a cyberattack on the company’s computer systems in October. LifeLabs reported it to authorities on Nov. 1, but the breach was not made public until mid-December.
LifeLabs said it retained outside cybersecurity consultants to investigate and assist with restoring the security of its data.
While LifeLabs states on its website that its patient information is encrypted, company CEO Charles Brown told the CBC’s Early Edition on Dec. 18 that he did not know if the information hacked was, indeed, encrypted.
Here is the text that can be found on the Life Labs website: “Our security practices are designed to protect your personal information and prevent unauthorized access. Only authorized employees are permitted to access personal information and only when the access is necessary. Your information is protected using industry best practices, and all information is transmitted over secure, encrypted channels.”
Section 30 of the Freedom of Information and Protection of Personal Information Act states: “A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.”
Section S.34 of the Personal Information Protection Act states: “An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.”
Noel Boivin, senior communications officer for the Office of the Information and Privacy Commissioner of B.C., said the department has the authority to issue legally binding orders to ensure organizations comply with those requirements.
“Decisions such as these are made based on the unique facts of each case,” Boivin said. “Based on these requirements in both pieces of legislation, our office recommends encryption as a best practice.”
The Office of the Information and Privacy Commissioner recommends organizations implement technical safeguards, including ensuring computers and networks are secure from intrusion by using firewalls, intrusion-detection software and antivirus software and by encrypting personal information.
Boivin noted findings from previous investigation reports call for organizations to encrypt data on personal storage devices.
“Our guidance is that personal information should be encrypted in transit and at rest in order to protect against unauthorized access,” said Caitlin Lemiski, the Office of the Information and Privacy Commissioner's director of policy. “The encryption, and key management, should be based on current industry-accepted standards for protecting data and should be reviewed regularly.”
LifeLabs has four clinics in Kamloops — two downtown, one in Aberdeen and one in North Kamloops.
According to the company, hackers gained access to the computer system that held customer information from 2016 and earlier that could include names, addresses, email addresses, login user names and passwords, dates of birth, health card numbers and lab test results. The access was accompanied by a ransom demand, which LifeLabs paid.
LifeLabs set up a dedicated phone line and information on its website for those affected by the breach. To find out more, the public should go online to customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.
In January 2013, patient information for 16,100 Kamloops-area residents was on a computer hard drive that went missing as it was being transferred by LifeLabs to Burnaby from Kamloops.