Investigators found the company had not taken reasonable steps to shield sensitive information
The Information and Privacy Commissioners of Ontario and British Columbia have published their investigation report on the 2019 LifeLabs data breach following the Ontario Court of Appeal’s dismissal of LifeLabs’ appeal to block its release.
The breach exposed the personal and health information of millions of Canadians. It was the subject of a detailed joint investigation which revealed that LifeLabs, a provider of diagnostic and health testing services, failed to meet its legal obligations under Ontario’s Personal Health Information Protection Act(PHIPA) and British Columbia’s Personal Information Protection Act (PIPA). Investigators found that the company had not taken reasonable steps to safeguard sensitive personal and health information against a cyberattack.
Although LifeLabs complied with the orders and recommendations issued by the commissioners, it sought to block the public release of the investigation report, citing claims of solicitor-client and litigation privilege. In 2020, the commissioners rejected LifeLabs’ claims, stating that the company had not provided sufficient evidence to substantiate its privilege arguments.
LifeLabs pursued a judicial review of the commissioners’ decision, but Ontario’s Divisional Court upheld the findings, ruling that the information in the report was not protected by privilege. LifeLabs sought leave to appeal to the Ontario Court of Appeal, which recently dismissed the motion, clearing the way for the publication of the report.
Patricia Kosseim, Ontario’s Information and Privacy Commissioner, welcomed the decision. “Personal health information is particularly sensitive, and privacy breaches can have devastating impacts for individuals, ultimately undermining trust in Ontario’s health care system,” Kosseim said in a statement. She emphasized the importance of transparency in restoring public trust and ensuring organizations learn from such incidents to strengthen cybersecurity measures.
Michael Harvey, British Columbia’s Information and Privacy Commissioner, echoed the sentiment. “The road to accountability and transparency has been too long for the millions of British Columbians and people across the country who were victims of the 2019 LifeLabs cyberattack,” he said. Harvey criticized LifeLabs’ inadequate safeguards and stressed that the publication of the report serves as a critical step in preventing future breaches.
The investigation highlighted significant deficiencies in LifeLabs’ data security practices and its response to the breach. The commissioners found that LifeLabs failed to implement reasonable safeguards to protect sensitive information from theft, loss, and unauthorized access. The company also did not establish or follow policies and practices that complied with Ontario's PHIPA and BC’s PIPA. Additionally, LifeLabs collected more personal and health information than was reasonably necessary for its purposes, exposing an excessive amount of data to risk.
The Ontario Commissioner identified further issues, including LifeLabs’ failure to notify all affected individuals about the details of the breach without requiring formal access requests. This delay breached PHIPA’s requirement to notify individuals at the earliest reasonable opportunity. The investigation also found inadequacies in LifeLabs’ contractual arrangements with a hospital and other health custodians, which did not clearly define the parties’ roles and responsibilities under PHIPA.
In response to these findings, the commissioners issued several orders to LifeLabs. The company is required to improve its security practices, including subscribing to security alert notifications for software vulnerabilities and implementing comprehensive written policies on IT safeguards. LifeLabs must also stop collecting failed login credentials, securely dispose of existing records, and create a process to notify all affected individuals about what specific information was compromised. Additionally, the company must formalize its contractual relationships with health custodians in Ontario to clarify its legal obligations under PHIPA.
The commissioners also recommended that LifeLabs consult independent experts to determine whether extending credit monitoring services for affected individuals would be more appropriate given the circumstances of the breach.
