In November, 2019, Canadian testing laboratory provider LifeLabs disclosed a data breach. In February, 2020, it tried to block regulators from accessing a report on the breach prepared for it by Crowdstrike.
Today, the B.C. and Ontario privacy commissioners released their report on the incident. It was highly critical of LifeLabs.
Knowing that the report was to be released, LifeLabs issued a press release that included listing a number of steps they had taken since the incident to improve security. Their attempt to defuse the sting of the commissioners’ report falls short, as despite their claim of transparency, they are still fighting the release of Crowdstrike’s report.
In their press release of today, the commissioners note:
– A joint investigation by the Information and Privacy Commissioners of Ontario and BC has found that LifeLabs failed to protect the personal health information of millions of Canadians resulting in a significant privacy breach in 2019.
The joint investigation revealed that the company’s failure to implement reasonable safeguards to protect the personal health information of millions of Canadians violated Ontario’s health privacy law, PHIPA, and BC’s personal information protection law, PIPA.
The Ontario and BC offices determined the company:
- failed to take reasonable steps to protect the personal health information in its electronic systems;
- failed to have adequate information technology security policies in place; and
- collected more personal health information than was reasonably necessary.
Both offices have ordered LifeLabs to implement a number of measures (summarized in the accompanying backgrounder) to address these shortcomings.
Publication of the report is being held up by LifeLabs’ claims that information it provided to the commissioners is privileged or otherwise confidential. The commissioners reject these claims.
The IPC and BC OIPC intend to publish the report publicly, unless LifeLabs takes court action.