Canadian privacy regulators publish details of medical testing company’s data breach

Avatar

A 2020 report detailing the hack of a Canadian medical testing company was released Monday after a court ruled it could be made public, ending a four-year battle during which the company sought to keep the details of the investigation secret.

The 2019 hack of the company, LifeLabs, exposed the private health data of millions of Canadians.

The privacy commissioners of both British Columbia and Ontario said in a press release that their joint investigative report, completed in June 2020, found that LifeLabs “failed to take reasonable steps” to protect clients’ data while collecting more personal health information than was “reasonably necessary.”

As Canada’s biggest provider of general health and specialty laboratory testing services, LifeLabs performs more than 100 million lab tests each year and maintains a patient portal through which more than 2.5 million individuals obtain test results annually, according to a summary of the report released by the regulators.

LifeLabs told regulators it had been hacked in late 2019, prompting them to launch a joint investigation which found that the company did not adequately  staff its security team or have appropriate information security measures in place. 

The regulators ordered LifeLabs to fix those issues and stop collecting some personal information it had historically gathered as well as “securely dispose” of those records. They also ordered the company to “clarify and formalize” its work with health information custodians whom it contracts with to provide testing.

LifeLabs has addressed the regulator’s recommendations and orders, a press release from the regulators said. 

A spokesperson for LifeLabs said in a statement that the company “remains dedicated to safeguarding health information and continuously improving our practices to address these evolving risks.”

Ontario’s privacy regulator said it was important for the report to be made public after four years of resistance by LifeLabs.

“I am very pleased with the court’s decision that allows the public to be made aware of the circumstances of this cyberattack and provides a transparent account of our investigation findings to help restore public trust in the oversight mechanisms designed to hold organizations accountable,” Patricia Kosseim, Information and Privacy Commissioner of Ontario, said in a statement.

CybercrimeGovernmentIndustryNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks

Next Post

African cybercrime crackdown culminates in 1,006 captured and cuffed

Related Posts

Palo Alto Advises Securing PAN-OS Interface Amid Potential RCE Threat Concerns

Palo Alto Networks on Friday issued an informational advisory urging customers to ensure that access to the PAN-OS management interface is secured because of a potential remote code execution vulnerability. "Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," the company said. "At this time, we do not know the specifics of the
Avatar
Read More