Ontario and BC Privacy Commissioners Find LifeLabs Failed to Protect Personal Health Information of Millions of Canadians

Ontario and BC Privacy Commissioners Find LifeLabs Failed to Protect Personal Health Information of Millions of Canadians

A joint investigation by the Information and Privacy Commissioners of Ontario and British Columbia (BC) has found that Canadian laboratory testing company LifeLabs failed to protect the personal health information of millions of Canadians resulting in a data breach in 2019.

In a statement, the Information and Privacy Commissioners of Ontario and BC said the two offices found that LifeLabs failed to take reasonable steps to protect the personal health information in its electronic systems; failed to have adequate information technology security policies in place; and collected more personal health information than was reasonably necessary. LifeLabs is the largest provider of general health diagnostic and specialty laboratory testing services in Canada. It conducts over 100 million laboratory tests annually and supports 20 million patient visits annually. Its website is visited by more than 2.3 million Canadians to access their laboratory results each year.

According to the Information and Privacy Commissioners of Ontario and BC, on November 1, 2019, LifeLabs reported a cyberattack on their computer systems to the two offices. The cyberattack affected approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers, and laboratory test results. Affected customers were mostly from Ontario and British Columbia.

The two offices issued the following orders to LifeLabs: improve specific practices regarding information technology security; put in place written information practices and policies with respect to information technology security; and cease collecting specified information and to securely dispose of the records of that information which it has collected.

“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law," Brian Beamish, Information and Privacy Commissioner of Ontario, said in a statement. "This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks."

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” Michael McEvoy, Information and Privacy Commissioner of British Columbia, said in a statement. “The orders made are aimed at making sure this doesn’t happen again. This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”

Last March 25, the Ontario government amended its health privacy law, making it the first province in Canada to give the Information and Privacy Commissioner the authority to levy monetary penalties against those who violate Ontario's Personal Health Information Protection Act (PHIPA).

According to the Ontario and B.C. privacy commissioners, to date, they still can't release the full report of their findings as LifeLabs asserted that the information that it provided to the commissioners is privileged or otherwise confidential. The privacy commissioners said they intend to publish the full report unless Lifelabs takes court action.

LifeLabs, for its part, said it's reviewing the report’s findings of the Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner of British Columbia. "We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon," LifeLabs said.

According to LifeLabs, one of the changes made as a result of the cyberattack on its IT systems is the appointed of a Chief Information Security Officer (CISO), Chief Privacy Officer and Chief Information Officer. The company added that it has enhanced and accelerated its Information Security Management program with an initial $50 million investment to achieve ISO 27001 certification – a gold standard in information security management.

Stealing of Data and Ransom Demand

According to the Information and Privacy Commissioners of Ontario and BC, LifeLabs told the two offices in November 2019 that the cyberattacker or cyberattackers on LifeLabs penetrated the company’s systems, extracted data and demanded a "ransom".

In December 2019, Charles Brown, LifeLabs' president and CEO, in a statement, admitted to "retrieving the data by making a payment". "We did this [paying the ransom] in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals...."

To date, based on the statements of the Information and Privacy Commissioners of Ontario and BC as well as LifeLabs, there’s no mention of the word "ransomware". Due to this lack of information, the cyberattack on LifeLabs may or may not be a ransomware attack.

What is clear though is that the cyberattack on LifeLabs involved stealing of data, ransom demand, and in this case, a ransom payment. There are currently over a dozen ransomware groups that openly admit that they don't merely demand ransom to decrypt (unlock) encrypted (lock) files, but they also steal data and leverage this stolen data in case the ransomware victim refuses to pay ransom for the purpose of decryption.

Several months ago, the ransomware called "Maze" started the trend of naming and shaming ransomware victims that refuse to pay ransom for the purpose of decrypting the encrypted files. The group behind the Maze ransomware created a website that names ransomware victims that refuse to pay ransom and further threatens victims that continued refusal to pay ransom will result in the publication of the data stolen prior to the data encryption.

The group behind the ransomware called "REvil", also known by the name "Sodinokibi", recently created an e-bay-like auction site, auctioning the files of ransomware victims that continued to refuse to pay ransom. The REvil ransomware group auctioned the stolen files of a Canadian agricultural production company, one of its ramsomware victims that continue to refuse to pay ransom. The group offered 3 databases and 22,000 files stolen from the agricultural company to the successful bidder.

No organization is immune. Dealing with cyberattack and its consequences is not a matter of IF but a matter of WHEN. Get a head start by identifying and mitigate key IT risks today. Schedule a free assessment today or call 1.888.900.DRIZ (3749)