Canadian privacy regulators publish details of medical testing company’s data breach

Avatar

A 2020 report detailing the hack of a Canadian medical testing company was released Monday after a court ruled it could be made public, ending a four-year battle during which the company sought to keep the details of the investigation secret.

The 2019 hack of the company, LifeLabs, exposed the private health data of millions of Canadians.

The privacy commissioners of both British Columbia and Ontario said in a press release that their joint investigative report, completed in June 2020, found that LifeLabs “failed to take reasonable steps” to protect clients’ data while collecting more personal health information than was “reasonably necessary.”

As Canada’s biggest provider of general health and specialty laboratory testing services, LifeLabs performs more than 100 million lab tests each year and maintains a patient portal through which more than 2.5 million individuals obtain test results annually, according to a summary of the report released by the regulators.

LifeLabs told regulators it had been hacked in late 2019, prompting them to launch a joint investigation which found that the company did not adequately  staff its security team or have appropriate information security measures in place. 

The regulators ordered LifeLabs to fix those issues and stop collecting some personal information it had historically gathered as well as “securely dispose” of those records. They also ordered the company to “clarify and formalize” its work with health information custodians whom it contracts with to provide testing.

LifeLabs has addressed the regulator’s recommendations and orders, a press release from the regulators said. 

A spokesperson for LifeLabs said in a statement that the company “remains dedicated to safeguarding health information and continuously improving our practices to address these evolving risks.”

Ontario’s privacy regulator said it was important for the report to be made public after four years of resistance by LifeLabs.

“I am very pleased with the court’s decision that allows the public to be made aware of the circumstances of this cyberattack and provides a transparent account of our investigation findings to help restore public trust in the oversight mechanisms designed to hold organizations accountable,” Patricia Kosseim, Information and Privacy Commissioner of Ontario, said in a statement.

CybercrimeGovernmentIndustryNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

China’s Salt Typhoon hackers target telecom firms in Southeast Asia with new malware

Next Post

African cybercrime crackdown culminates in 1,006 captured and cuffed

Related Posts

Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data

The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. Paragon, founded in 2019 by Ehud Barak and Ehud Schneorson, is the maker of a surveillance tool called Graphite that's capable of harvesting sensitive data from instant messaging applications
Avatar
Read More

Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks

A recently patched pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software has been exploited by a China-nexus threat actor to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The vulnerabilities, tracked as CVE-2025-4427 (CVSS score: 5.3) and CVE-2025-4428 (CVSS score: 7.2), could be chained to execute arbitrary code on a
Avatar
Read More

Iran-Linked Hackers Target Israel with MURKYTOUR Malware via Fake Job Campaign

The Iran-nexus threat actor known as UNC2428 has been observed delivering a backdoor known as MURKYTOUR as part of a job-themed social engineering campaign aimed at Israel in October 2024. Google-owned Mandiant described UNC2428 as a threat actor aligned with Iran that engages in cyber espionage-related operations. The intrusion set is said to have distributed the malware through a "complex
Avatar
Read More