LifeLabs data breach report released after company's attempt to keep it quiet

A long-held secret investigation into a 2019 hack at LifeLabs Inc. that compromised the health data of millions of Canadians has finally been made public after an Ontario court rejected the company’s appeal aimed at preventing its disclosure.

A statement from the Ontario and British Columbia privacy commissioners says their joint report, completed in June 2020, found that LifeLabs “failed to take reasonable steps” to protect data customers while collecting more personal health information than was “reasonably necessary.”

Article content

The report ordered LifeLabs to address a number of issues, such as properly staffing its security team, and the commissioners’ statement said the company complied with all orders and recommendations.

LifeLabs had cited litigation and attorney-client privilege to prevent the document’s release, but the commissioners’ offices objected.

The company then sought judicial review in the Ontario Divisional Court before the matter went to the Ontario Court of Appeal, where LifeLabs’ appeal was dismissed.

British Columbia’s Information and Privacy Commissioner Michael Harvey said in a statement that “the road to accountability and transparency has been too long” for victims of the breach. data.

Recommended by the editorial

“LifeLabs’ failure to put in place adequate safeguards to protect against this attack violated patients’ trust, and the risk to which this exposed them was unacceptable,” Harvey said. “When this happens, it is important to learn from past mistakes so that others can prevent future violations from occurring.” But to learn lessons, we must share them.

Article content

Ontario’s Information and Privacy Commissioner Patricia Kosseim said in the statement that she was pleased with the court’s decision to uphold her office’s decision “to help restore the public confidence in oversight mechanisms designed to hold organizations accountable.”

In May, Canadians who applied to join a class-action lawsuit against LifeLabs began receiving checks and e-transfers, with administrator KPMG saying more than 900,000 valid claims had been received.

An Ontario court has approved a total Canada-wide settlement of up to $9.8 million for the data breach, which allowed hackers to access the personal information of up to 15 million people customers.

Our website is the place for breaking news, exclusive scoops, long reads and provocative commentary. Please bookmark nationalpost.com and sign up for our daily newsletter, Posted, here.

Share this article on your social network