Privacy commissioners say LifeLabs failed to protect personal information in 2019 data breach

The company is being ordered to implement measures to address its shortcomings

The privacy commissioners of Ontario and B.C. have found that LifeLabs failed to protect customers’ personal information in the 2019 data breach.

Last year in December, the company disclosed that it suffered a data breach that affected the information of about 15 million customers. The information included names, emails, addresses, health card numbers and lab tests.

The joint investigation has now found that the company failed to implement proper safeguards to protect the personal health information of millions of Canadians, and violated privacy laws in both provinces.

LifeLabs “collected more personal health information than was reasonably necessary,” according to the investigation. It also “failed to take reasonable steps to protect the personal health information in its electronic systems” and “failed to have adequate information technology security policies in place.”

Both of the commissioners have ordered LifeLabs to implement several measures to address these flaws. For instance, LifeLabs must improve its information technology security, and has been ordered to stop collecting specified information.

Further, “LifeLabs is ordered to improve its process for notifying individuals of the specific elements of their personal health information which were the subject of the breach.”

The commissioners have not published their investigation, as LifeLabs claims that the information is privileged. However, the commissioners intend to publish the report, unless LifeLabs takes legal action.

“This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks,” said Brian Beamish, the privacy commissioner of Ontario, in a press release.

B.C. Privacy Commissioner Michael Envoy stated that the investigation has reinforced the need for change to laws in the province that would allow regulators to impose financial penalties on companies that violate privacy laws.

Source: Office of the Information and Privacy Commissioner of Ontario