On June 25, 2020, the Ontario and British Columbia Information and Privacy Commissioners just shared the results of their joint investigation regarding a serious breach that took place in 2019 – the findings revealed that LifeLabs, Canada’s largest provider of general health diagnostic and specialty laboratory testing services, failed to protect the personal health information of millions of Canadians. In fact, it was found that there was: a failure to implement reasonable safeguards to protect the personal health information; a failure to take reasonable steps to protect the personal health information in its electronic systems; a failure to have adequate information technology security policies in place; and the collection of more personal health information than was reasonably necessary in one instance. These failures were found to be in violation of Ontario’s Personal Health Information Protection Act (PHIPA) and British Columbia’s Personal Information Protection Act (PIPA)

Consequently, LifeLabs was ordered to implement several measures to address the situation.

What is LifeLabs?

As can be seen in the Backgrounder, LifeLabs has been operating for over 50 years and provides outpatient laboratory services and other testing services, including genetics and naturopathic testing. In fact, LifeLabs performs over 100 million lab tests per year and has about 20 million annual patient visits. It hosts Canada’s largest online patient portal, where over 2.5 million individuals access their laboratory results each year.

What happened in 2019?

On November 1 and 5, 2019, LifeLabs notified the Office of the Information and Privacy Commissioners of Ontario and British Columbia of a potential privacy breach under PHIPA and PIPA. That is, on October 28, 2019, LifeLabs detected a cyberattack on its computer systems.

In response, on December 17, 2019, the Ontario and BC Commissioners announced their joint investigation into the breach in a Statement, with the goal of examining the scope of the breach, the circumstances leading to it, and what, if any, measures LifeLabs could have taken to prevent and contain the breach, and to ensure the future security of personal information and avoid further attacks. It was also noted that the cyber criminals penetrated the company’s systems, extracted data, and demanded a ransom. LifeLabs worked with outside cybersecurity consultants to investigate the incident and restore the security of the data.

According to the December 17, 2019 Backgrounder on the breach, it was revealed that there was a large-scale breach of systems containing information of an estimated 15 million people mostly in Ontario and British Columbia. Most concerning, the kind of information that was affected included: names; addresses; emails; customer logins and passwords; dates of birth; health card numbers; and, for some customers, lab tests.

It was stressed that there were things that organizations could do to protect themselves from cyberattacks, including employee training, limiting user privileges, and software protection. They also provided some helpful guidance for organizations (provided below).

What did the Information and Privacy Commissioners of Ontario and British Columbia find?

Following their investigation, the Information and Privacy Commissioners found several violations of both PHIPA and PIPA:

• LifeLabs failed to take reasonable steps to safeguard personal information and personal health information

• LifeLabs did not have adequate information technology security policies and information practices in place

• LifeLabs collected more information than necessary in one instance

They noted that, although LifeLabs took reasonable steps to contain and investigate the breach, there were still some steps that were required to be taken, such as dealing with issues the process for notifying individuals when health information was compromised, and the terms under which LifeLabs provides laboratory services to other health information custodians.

Therefore, the Commissioners issued orders to LifeLabs to:

• improve specific practices regarding information technology security

• formally put in place written information practices and policies with respect to information technology security

• cease collecting specified information and to securely dispose of the records of that information which it has collected

• improve its process for notifying individuals of the specific elements of their personal health information which were the subject of the breach

• clarify and formalize its status with respect to health information custodians in Ontario with whom it has contracts to provide laboratory services

They also recommended that LifeLabs consult with independent third-party experts with respect to whether a longer period of credit monitoring service would be more appropriate in the circumstances of this breach.

Some lasting comments made by the Information and Privacy Commissioners

Both the Ontario and British Columbia Information and Privacy Commissioners made some important comments during the announcement of their recent findings regarding LifeLabs.

More specifically, Brian Beamish, Information and Privacy Commissioner of Ontario, stated the following:

Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law. This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks. I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation.

Additionally, Michael McEvoy, Information and Privacy Commissioner of British Columbia, stated the following:

LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn’t happen again. This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.

What organizations take from this incident?

One encouraging aspect is that there are strategies that can be utilized to protect organizations from cyberattacks, such as employee training, limiting user privileges, and software protection. Moreover, it is important for all organizations to take heed of the words of Brian Beamish, mentioned above, emphasizing the need to be vigilant against these types of attacks. Similarly, it is critical for organizations to take note of Michael McEvoy’s above-noted comment and ensure that they do not fail to protect the personal health information of Canadians, and instead ensure that they are using the proper safeguards.

A great deal is at stake – the dangers include identity theft, financial loss, and reputational harm of Canadians. In this case, the breach involved some of the most sensitive information that individuals can have.

To that end, all organizations are recommended to proactively review their policies and procedures that address creating and implementing reasonable safeguards in order to prevent and address these types of attacks and sufficiently protect personal and personal health information.

For further information, please visit the following fact sheets dealing with phishing here, privacy breaches in public sector organizations here, responding to a privacy breach (guidelines for the health sector) here, and ransomware here.

Human Resources PolicyPro and Information Technology PolicyPro from First Reference offer policies that can be customized to suit your organization. Log in to Human Resources PolicyPro or Information Technology PolicyPro to access ON 5.07 – Employee Privacy and a wealth of privacy and data protection information in Information Technology PolicyPro. Not a subscriber? Request a free 30-day trial of either publication here.