LifeLabs Failed to Protect Personal Health Information of Millions of Canadians: Investigation


TORONTO – LifeLabs has failed to protect the personal health information of millions of Canadians, according to a joint investigation.

The joint investigation of the Information and Privacy Commissioners of Ontario and British Columbia finds that the failure resulted in a significant privacy breach in December 2019, which affected 15 million Canadians, mainly in these two provinces.

“Our investigation revealed that LifeLabs failed to take the necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s privacy law,” said Brian Beamish, Commissioner Information and Privacy Protection Ontario in a press release.

“This breach should remind organizations large and small that they have a duty to be vigilant against these types of attacks. I look forward to providing the public, and particularly those affected by the violation, with full details of our investigation. “

Michael McEvoy, Information and Privacy Commissioner of British Columbia, added: “LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. loss and damage to reputation. Orders placed are aimed at ensuring that this does not happen again. “

Investigation indicates that LifeLabs failed:

  • Take reasonable steps to protect confidential information in its electronic systems, in violation of Ontario privacy law, the Personal Health Information Protection Act (PHIPA) and the law of British Columbia on the protection of personal information;

  • put in place adequate IT security policies;

  • by collecting more personal information than necessary.

The report’s release is being delayed, according to the commissioners, as LifeLabs says the information provided by the company is confidential. Commissioners deny the allegations and say they plan to release the report unless LifeLabs takes legal action.

As the joint investigation found that LifeLabs had taken “reasonable steps” to contain and investigate the breach, the Information and Privacy Commissioner of Ontario ordered the testing provider to laboratory to implement a number of additional measures to further address the deficiencies revealed in the investigation.

Their recommendations for LifeLabs include:

  • Improve specific information technology security practices;

  • formally put in place written information policies and practices in information technology security;

  • cease collecting specified information and securely dispose of records of such information that it has collected;

  • improve its process for notifying individuals of the personal health information that has been exposed in the breach;

  • clarify and formalize its status with respect to health information custodians in Ontario with whom it has contracts to provide laboratory services.

Finally, the Commissioners recommended that LifeLabs consult with independent third-party experts on whether it would be appropriate to offer customers a longer period of credit monitoring service given the circumstances of the breach.

In a statement posted online, LifeLabs said it had received the report and “reviewing” the results.

“From the start, LifeLabs has been committed to being open and transparent and we will continue to follow these principles as we work together on the way forward,” the statement continued.

“On the day we announced the cyberattack last year, we made a commitment to our customers to learn and work hard to regain their trust. We cannot change what has happened, but we assure you that we have done everything possible to provide our customers with service they can count on.

LifeLabs said it made a number of changes in early June to strengthen its information security system, including:

  • Appoint an information security officer, a privacy officer and an information officer;

  • invest $ 50 million to improve its information security system;

  • deployed cybersecurity companies to investigate the deep web for information related to the attack;

  • established an Information Security Council comprised of cybersecurity experts;

  • implemented more powerful cybercrime detection technology across the enterprise.

“What we learned from last year’s cyber attack is that we must continually work to protect ourselves against cybercrime by placing data protection and privacy at the heart of everything we do,” the statement continued. “We are committed, through our partnership with experts, the healthcare industry, governments and IT companies, to become a global leader in healthcare data protection. “

In the aftermath of the 2019 breach, LifeLabs offered its clients a free year of cyber protection services, including dark web monitoring and identity theft insurance.

The British Columbia and Ontario privacy commissioners were first notified of the breach in November 2019. The bureaus announced their joint investigation in mid-December after he it was revealed that the breach had affected millions of Canadians.

Source link

Leave A Reply

Your email address will not be published.