Ontario IPC and BC OIPC find LifeLabs failed to protect personal information in 2019 breach

Canadian laboratory testing company found in violation of privacy laws

TORONTO Thursday, June 25, 2020 – A joint investigation by the Information and Privacy Commissioners of Ontario and BC has found that LifeLabs failed to protect the personal health information of millions of Canadians resulting in a significant privacy breach in 2019.

The joint investigation revealed that the company’s failure to implement reasonable safeguards to protect the personal health information of millions of Canadians violated Ontario’s health privacy law, PHIPA, and BC’s personal information protection law, PIPA.

The Ontario and BC offices determined the company:

  • failed to take reasonable steps to protect the personal health information in its electronic systems;
  • failed to have adequate information technology security policies in place; and
  • collected more personal health information than was reasonably necessary.

Both offices have ordered LifeLabs to implement a number of measures (summarized in the accompanying backgrounder) to address these shortcomings.

Publication of the report is being held up by LifeLabs’ claims that information it provided to the commissioners is privileged or otherwise confidential. The commissioners reject these claims. The IPC and BC OIPC intend to publish the report publicly, unless Lifelabs takes court action.

“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law. This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.  I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation.”

— Brian Beamish, Information and Privacy Commissioner of Ontario

 

“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable. LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn’t happen again.

This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights.  This is the very kind of case where my office would have considered levying penalties."

— Michael McEvoy, Information and Privacy Commissioner of British Columbia

On March 25, 2020, the Ontario government amended Ontario’s health privacy law. Once implemented, Ontario will be the first province in Canada to give the Information and Privacy Commissioner the power to levy monetary penalties against individuals and companies that contravene PHIPA.


Media contact:

Jason Papadimos (Ontario IPC)
@email 416 326-3965

Michelle Mitchell (BC OIPC)
@email 250 217-7872

 

Media Contact

For a quick response, kindly e-mail or phone us with details of your request such as media outlet, topic, and deadline:

Email: @email
Telephone: 416-326-3965

Contact Us

Social Media

The IPC maintains channels on LinkedIn, X (formerly Twitter), YouTube and Instagram in its efforts to communicate to Ontarians and others interested in privacy, access and related issues.

Our Social Media Policy

Help us improve our website. Was this page helpful?
When information is not found

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.