A major cyberattack that resulted in over 15 million personal data breaches at LifeLabs last year has been found to be the result of inadequate safeguards.

The results of a joint investigation conducted by the information and privacy commissioners (IPC) of Ontario and B.C. find that the company failed to protect their patients’ information.

According to a statement released on Thursday, the investigation found that LifeLabs violated Ontario’s health privacy law, the Personal Health Information Protection Act (PHIPA), and B.C.’s personal information protection law.

See also: LifeLabs pays ransom after losing 15 million patient records to cyber attack

The company was found to have collected more personal health information than was necessary, did not have adequate information technology security policies in place, and failed to “take reasonable steps to protect the personal health information in its electronic systems”.

LifeLabs has been ordered by both commissioners to rectify their shortcomings through the following orders:

  • Improve specific practices regarding information technology security.
  • Formally put in place written information practices and policies with respect to information technology security.
  • Cease collecting specified information and to securely dispose of the records of that information which it has collected.

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn’t happen again,” said Michael McEvoy,  information and privacy commissioner of British Columbia.

“This investigation also reinforces the need for changes to B.C.’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”

The cyberattack was detected by LifeLabs on October 28, 2019 after which the company advised its patients that over 15 million people had their personal data breached.

The majority of those people were residents in B.C. and Ontario, and the data included customers’ names, addresses, emails, logins, passwords, dates of birth, health card numbers, and lab test results.

On November 1st, 2019, the company notified the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) about the attack.

LifeLabs then consulted with outside cybersecurity firms and made a ransom payment to secure the data. They did not disclose how much was paid.

This was the second privacy concern from the company in recent years.

In 2013, a hard drive was stolen from a LifeLabs computer in Kamloops that contained personal information including patients’ names, addresses, and health care numbers.

The hard drive was lost in January but authorities were notified of the security breach in June. Over 16,000 people were affected by the theft.

LifeLabs performs over 100 million laboratory tests each year, with 20 million annual patient visits to its locations. Its website hosts Canada’s largest online patient portal, on which more than 2.5 million individuals access their laboratory results each year.

With files from Cormac O’Brien.