A joint investigation by Ontario and British Columbia’s information and privacy commissioners has concluded that laboratory testing company LifeLabs failed to protect the personal health information of 15 million Canadians.
LifeLabs first reported that it suffered a massive cyberattack last December. The attack primarily affected the information of BC and Ontario residents.
Not long after LifeLabs announced that it had sustained a cyberattack, two class action lawsuits were filed against the company in both BC and Ontario. The lawsuits accused the lab testing firm of negligence, breach of contract, violating their customers’ confidence as well as privacy and consumer protection laws, and inadequate security/security training for employees.
An investigation into the data breach was later launched, and it found that LifeLabs failed to implement “reasonable” defences to protect personal health information. The inadequate cyber defences violated BC’s personal information protection law, Ontario’s health privacy law and the Personal Health Information Protection Act, the investigation concluded.
“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable,” BC information and privacy commissioner Michael McEvoy said in a statement.
McEvoy added that LifeLabs left millions of Canadians exposed to “potential identity theft, financial loss and reputational harm.”
The investigation also found that LifeLabs failed to secure adequate technology security policies, and that the company was collecting more personal information than necessary.
“The breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks,” commented Ontario information and privacy commissioner Brian Beamish.
LifeLabs has been ordered by both commissioners to immediately implement cybersecurity measures, CBC News reported.