Breach Aftermath: Authorities Order Lab to Improve SecurityLifeLabs' 2019 Breach Exposed Data on 15 Million Canadians
Canadian information privacy regulators have ordered medical testing laboratory LifeLabs to improve its data security practices following their investigation into a 2019 breach that exposed the health data of 15 million individuals.
Among the steps LifeLabs was ordered to take are implementing information technology security policies, ceasing to unnecessarily collect certain personal information and disposing of unnecessary information in a secure manner.
Personal Data Breached
In a statement Thursday, the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia said their joint investigation into the LifeLabs incident "revealed that the company's failure to implement reasonable safeguards to protect the personal health information of millions of Canadians violated Ontario's Personal Health Information Protection Act - or PHIPA - and BC's Personal Information Protection Act, or PIPA.
On Dec. 17, 2019, Toronto-based LifeLabs revealed that attackers gained unauthorized access to data on 15 million individuals in late October. The lab then retrieved the data "by making a payment," the statement said. "We did this in collaboration with experts familiar with cyberattacks and negotiations with cybercriminals." The company did not reveal whether the attack involved ransomware.
LifeLabs said its investigation into the incident shows that data exposed included customer names, addresses, emails, birthdates, logins, passwords, health card numbers and, in some cases, lab results.
In a Thursday statement, LifeLabs says it has not confirmed any public disclosure of customer data exposed in the attack.
Canada's Largest Lab
LifeLabs is Canada's largest provider of general health diagnostic and specialty laboratory testing services, employing 5,700 and performing over 100 million laboratory tests each year, the government agencies note in a backgrounder document issued with their joint statement.
LifeLab's website hosts Canada's largest online patient portal. More than 2.5 million individuals access their laboratory results each year, the two government agencies note.
"This breach is unprecedented in size and scope, and should serve as a reminder to all institutions, large and small, to have appropriate safeguards in place," said the two Canadian agencies in a statement to Information Security Media Group on Friday.
"It's crucial to be vigilant and to ensure that cybersecurity mechanisms are continually updated as technology and methods of infiltrating evolve."
In addition to the government enforcement actions against LifeLab, the company is also facing several class action lawsuits related to the breach.
In their statement, the government officials said their investigation into the incident determined that LifeLabs:
- Failed to take reasonable steps to protect the personal health information in its electronic systems;
- Failed to have adequate information technology security policies in place;
- Collected more personal health information than was reasonably necessary.
The agencies recommended that LifeLabs consult with independent third-party experts "with respect to whether a longer period of credit monitoring service would be more appropriate in the circumstances of this breach."
Last December, LifeLabs said affected individuals were being offered one year of pre-paid credit monitoring that includes dark web monitoring and identity theft insurance.
Since the breach, LifeLabs has, for the most part, taken reasonable steps to address the shortcomings in its information technology security measures, the agencies note. "However, additional steps are required."
While LifeLabs has largely taken "adequate steps" to notify affected individuals of the breach, "its process for notifying individuals of which specific elements of their own health information were compromised was inadequate," the agencies say. "The terms under which LifeLabs provides laboratory services to other health information custodians require clarification."
Given these findings, the officials have ordered LifeLabs to:
- Improve specific practices regarding information technology security;
- Put in place written practices and policies for information technology security;
- Cease collecting certain information and securely dispose of the records of that information which it has collected.
The statement also notes that the Ontario IPC also ordered LifeLabs to improve its process for notifying individuals of the specific elements of their personal health information exposed in the breach.
No Financial Penalty Levied
"This investigation also reinforces the need for changes to BC's laws that allow regulators to consider imposing financial penalties on companies that violate people's privacy rights. This is the very kind of case where my office would have considered levying penalties," said Michael McEvoy, information and privacy commissioner of British Columbia.
The joint statement notes that on March 25, 2020, the Ontario government amended its health privacy law.
"Once implemented, Ontario will be the first province in Canada to give the information and privacy commissioner the power to levy monetary penalties against individuals and companies that contravene PHIPA."
In the U.S., the Department of Health and Human Services' Office for Civil Rights has issued both fines and settlements for dozens of organizations that failed to protect health data as required under HIPAA.
The two Canadian agencies also note that publication of a more detailed report about their joint investigation "is being held up by LifeLabs' claims that information it provided to the commissioners is privileged or otherwise confidential."
"The IPC and BC OIPC intend to publish the report publicly, unless LifeLabs takes court action," the joint statement says.
"LifeLabs has 14 days from June 25 to let us know whether they intend to file a court action. We will not publish the report before then, unless LifeLabs informs us that they do not intend to file a court action," the agencies tell ISMG in a statement.
LifeLabs did not immediately respond to ISMG's request for comment and additional information.
In a June 25 statement about the commissioners' investigation, LifeLabs listed a number of measures it has already taken to bolster its information security and privacy programs.
Those steps include:
- Appointing a CISO and hiring a chief privacy officer and a CIO;
- Enhancing and accelerating its information security management program through an initial $50 million investment with a goal of achieving ISO 27001 certification;
- Engaging a third-party professional services firm to objectively evaluate the response to the cyberattack and the efficacy of company's security programs and capabilities and make recommendations for process enhancements;
- Hiring cybersecurity firms to monitor the darknet and other locations for information related to the cyberattack;
- Establishing an information security council with internal and external cybersecurity experts who will regularly report to the company's CEO and the board of directors on information security practices and protocols;
- Implementing strengthened cybercrime detection technology across the organization;
- Implementing an annual organization-wide security and privacy awareness and training programs.
"What we have learned from last year's cyberattack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do," LifeLabs said in the statement. "We have made a commitment through our partnership with experts, the healthcare sector, governments and IT companies, to become a global leader in protecting healthcare data."