Canadian medical services company LifeLabs did not take reasonable steps to safeguard the personal and health information of millions of Canadians from a 2019 cyberattack, the privacy commissioners of B.C. and Ontario have found.
When the breadth of the breach was revealed, records relating to approximately 8.6 million unique individuals were identified.
The commissioners said the vast majority were from Ontario and British Columbia but people from all provinces were represented in the data.
Among the information taken were people’s names; gender; date of birth; address; postal code; health number; health-care provider name; laboratory test number; test dates, location, types and results.
A newly released report said LifeLabs asserted the information was not highly sensitive, earning it a commissioners’ rebuke: “We disagree with LifeLabs’ assessment and find their approach to be very cavalier regarding the privacy of their clients’ health information.”
“LifeLabs’ failure to put in place adequate safeguards to protect against this attack violated patients’ trust, and the risk it exposed them to was unacceptable,” said Michael Harvey, B.C. information and privacy commissioner, on Nov. 25.
The company said recommendations in the report have been implemented.
The attack
On Oct. 28, 2019, LifeLabs reported it had detected a cyberattack on its computer systems.
The report said LifeLabs received a ransom email from the attackers on Oct. 31, 2019.
The attackers claimed to have stolen LifeLabs’ patient records to receive payment in exchange for the deletion of their copy of the data.
They also offered to send LifeLabs a report detailing the exploits of their attack. To substantiate their claims, the attackers included a sample of patient records.
The attackers threatened to release the data and their report onto the internet if they did not receive payment by Nov. 15, 2019.
LifeLabs communicated with the attackers with help from a third-party technology company.
LifeLabs requested evidence to further substantiate the attackers’ claims.
“In return, the attackers provided a high-level summary of the attack and additional patient records. Following this, LifeLabs made two payments to the attackers,” the report said. “A first, partial payment was made in return for the attackers’ report. A second payment was then made to complete the exchange. In return for payment, the attackers provided LifeLabs with four datasets, which they indicated was all the LifeLabs data in their possession.”
On Dec. 17, 2019, the Ontario and B.C. privacy commissioners announced their joint investigation into the breach, which affected millions of Canadians.
The report found that LifeLabs:
• failed to take reasonable steps to protect personal information and personal health information in its custody and control from theft, loss, and unauthorized access, collection, use, disclosure, copying, modification, or disposal;
• LifeLabs failed to have in place and follow policies and information practices that comply with B.C. and Ontario privacy laws; and,
• LifeLabs collected more personal information and personal health information than is reasonably necessary to meet the purpose for which it was collected.
A Nov. 25 joint statement from the commissioners said LifeLabs performs over 100 million laboratory tests each year, with 20 million annual patient visits to its locations. Its website, meanwhile, hosts Canada’s largest online patient portal, on which more than 2.5 million individuals access their laboratory results each year.
The report was completed in 2020 but is only now available to the public.
In April, the Ontario Superior Court of Justice rejected the company’s attempts to block release.
“Both regulators have the statutory authority to coordinate and share investigations in privacy matters,” the court said in its decision.
Now, Harvey’s office said, the Ontario Court of Appeal has dismissed LifeLabs’ motion for leave to appeal that decision.
“The road to accountability and transparency has been too long for the millions of British Columbians and people across the country who were victims of the 2019 LifeLabs cyberattack,” Harvey said.
“When this happens, it is important to learn from past mistakes so others can prevent future breaches from happening. But to learn from lessons, we need to share them.”
“I’m pleased with this ruling that affirms overly broad claims of privilege cannot be used to obstruct the vital role of our offices in ensuring public accountability, transparency, and education,” he added.
Company response
In a media statement, LifeLabs said the orders and recommendations outlined in the report have long since been addressed.
“LifeLabs is pleased that the matter has been resolved and is committed to applying the valuable insights gained from the joint investigation,” the statement said.
“These findings are not only crucial for LifeLabs but also provide important lessons for all health information custodians facing the increasing challenges of cybersecurity,” it said. “LifeLabs remains dedicated to safeguarding health information and continuously improving our practices to address these evolving risks.”
Commissioner’s orders:
Among various orders from the commissioners were:
• LifeLabs ensures appropriate staff monitor security notification lists;
• LifeLabs puts in place comprehensive written information practices and policies that set out safeguards implemented to protect people’s privacy; and,
• LifeLabs ceases collecting failed login and password pairs and securely disposes of the records of that information that it has collected.
