On November 25, 2024, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) and the Information and Privacy Commissioner of Ontario (IPC) announced that they released the 2020 joint investigation report into the LifeLabs privacy breach.

Background

The investigation report outlines that LifeLabs, Canada's largest provider of general health diagnostic and specialty laboratory testing services, suffered several data breaches starting in 2018. The information breached included a database of patient visits, billing, an enterprise data warehouse used for access, and an online appointment booking system. 

The OIPC and IPC conducted a joint investigation, which revealed that LifeLabs failed to comply with its obligations under Ontario's Personal Health Information Protection Act (PHIPA) and British Columbia's Personal Information Protection Act (PIPA). Following this, the OIPC and IPC issued several orders and a recommendation, which Lifelabs complied with.

The OIPC and IPC explained that LifeLabs claimed the investigation report could not be released to the public as it contained privileged information. The OIPC and IPC decided that the facts contained in the joint investigation report were not protected by privilege. LifeLabs proceeded to seek judicial review of the decision. However, the Divisional Court dismissed their application. The appeal before the Ontario Court of Appeal has also been dismissed.

Findings of the OIPC and IPC

The investigation report outlines key issues stemming from the data breach, including:

• scope of information compromised in the breach, in particular, the number of systems affected and 8.6 million affected individuals;
• personal health information and personal information, including the fact that all compromised information was sensitive and certain datasets contained demographic information and laboratory results;
• absence of reasonable steps to protect personal health information and personal information from unauthorized access, collection, use, or disclosure, including subscribing appropriate staff to receive security alerts;
• policies and information practices, including being able to demonstrate that such policies are in place and in compliance with the applicable laws;
• collection of unnecessary personal health information and personal information, such as failed login and password pairs; and
• notice to affected individuals, in particular, to notify all individuals that their personal health information was stolen, lost, used, or disclosed without authority without the individual having to make a formal access request pursuant to Part V of PHIPA.

Outcomes

The investigation report outlines that the OIPC and IPC ordered LifeLabs to: 

• ensure that the staff are subscribed to and aware of their responsibilities to effectively monitor the list for security alerts;
• put in place comprehensive written information practices and policies that are in force and that set out safeguards that LifeLabs has implemented with respect to information technology security; and 
• cease collecting failed login and password pairs and dispose of the records of that information collected.

You can read the press release here and the investigation report here.