Skip to content
Join our Newsletter

LifeLabs, privacy commissioners at odds over release of data breach report

LifeLabs was hit last year by a ransomware attack affecting millions of Canadians
Cyberattack Security - Getty Images
Cyber attack security. (via Getty Images)

Privacy commissioners in B.C. and Ontario remain at odds with LifeLabs LP over the public release of a report delving into a massive data breach at Canada’s largest medical testing company.

LifeLabs filed a petition in B.C. Supreme Court Monday (July 27), seeking a court order to stop the public release of the commissioners’ full report into a ransomware attack last fall that hit 15 million people.

The company is arguing the release would divulge information handed over to commissioners that it considers privileged or confidential.

“Commissioners Patricia Kosseim (Ontario) and Michael McEvoy (B.C.) maintain the view that the public release of the joint investigative report is vital to bringing to light the underlying causes of the privacy breach and rebuilding public trust by providing a transparent account of their investigation and findings,” the commissioners said Wednesday (July 29) in a statement.

The pair added they “take issue with” the claim the release of the full report would expose privileged or confidential info.

“As this matter is now before the courts, our offices will not be providing any further comment at this time,” the commissioners said.

LifeLabs did not immediately respond to an interview request from Glacier Media.

Following last month’s release of a summary of the investigation, B.C. and Ontario information and privacy commissioners said LifeLabs has agreed to follow all the orders and recommendations made in the report.

A report summary released June 25 found LifeLabs’ actions violated B.C.’s personal information protection law, concluding the company failed to take reasonable steps to protect personal health information.

The investigation also determined LifeLabs did not have adequate security policies in place and collected more personal information than “reasonably necessary.”

The commissioners subsequently ordered LifeLabs to improve practices regarding cybersecurity, to formally put in place written cybersecurity practices and policies, to cease collecting certain information and to securely dispose of the records of information collected.

It was revealed last year cyber criminals penetrated the LifeLabs’ systems, extracting data and demanding a ransom.

LifeLabs CEO Charles Brown said the company retrieved the data by making payment.

“We did this in collaboration with experts familiar with cyberattacks and negotiations with cyber criminals,” he said in an open letter released in December 2019.

“I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyberattack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”

- wth a file from Jeremy Hainsworth, Glacier Media