A joint investigation by the privacy commissioners of B.C. and Ontario has found LifeLabs failed to put in place reasonable safeguards to protect the personal health information of millions of Canadians.
A statement released on Thursday by the commissioners said the breach last year at LifeLabs, one of Canada’s largest medical services companies, broke B.C.’s personal information protection law and Ontario’s health privacy law.
There are four LifeLabs locations in Kamloops: two downtown, one in Aberdeen and one in North Kamloops.￼
The joint investigation found LifeLabs collected more personal health information than was necessary, failed to protect that data in its electronic systems and relied on inadequate information technology security policies.
Both offices have ordered LifeLabs to address the shortcomings through measures that include improving its security systems and creating written policies and practices regarding information technology security.
LifeLabs revealed last November that hackers gained access to the personal information of up to 15 million customers, almost all in Ontario and B.C., and that the company was forced to pay a ransom to retrieve and secure the data. Hackers gained access to the computer system that held customer information from 2016 and earlier that could include names, addresses, email addresses, login user names and passwords, dates of birth, health card numbers and lab test results.
The breach was determined to have affected millions of Canadians and the privacy commissioners announced their joint probe in mid-December.
Michael McEvoy, information and privacy commissioner of B.C. said the failure by LifeLabs to properly protect the personal health information is unacceptable.
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm. The orders made are aimed at making sure this doesn’t happen again.”
Ontario commissioner Brian Beamish says the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.
“I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation,” Beamish said in the statement.
LifeLabs issued a statement saying it has taken steps to accelerate its strategy to strengthen its information security systems, including appointing a chief information security officer to lead the improvements.
The firm said it has accelerated its information security management program with an initial $50-million investment and has hired a third-party service to evaluate its response.
“What we have learned from last year’s cyberattack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do,” LifeLabs said in its statement.
A proposed class-action lawsuit was filed against the company last year over the data breach. The statement of claim filed in Ontario accused the firm of negligence, breach of contract and violating their customers’ confidence as well as privacy and consumer protection laws.
In January, in response to a query from KTW, the Office of the Information and Privacy Commissioner of B.C. confirmed there is no legislation that mandates private information held by a company be encrypted.
“Neither the Freedom of Information and Protection of Personal Information Act (FIPPA), which applies to public bodies, nor the Personal Information Protection Act, (PIPA), which applies to private organizations, specifically mention encryption,” the office said in an email .
Section 30 of the Freedom of Information and Protection of Personal Information Act states: “A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.”
Section S.34 of the Personal Information Protection Act states: “An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.”
The Office of the Information and Privacy Commissioner recommends organizations implement technical safeguards, including ensuring computers and networks are secure from intrusion by using firewalls, intrusion-detection software and antivirus software and by encrypting personal information.
In January 2013, patient information for 16,100 Kamloops-area residents was on a computer hard drive that went missing as it was being transferred by LifeLabs to Burnaby from Kamloops