In October 2019, LifeLabs – Canada’s largest diagnostic test provider – disclosed that they fell victim to a malicious ransomware attack, causing the potential leak of sensitive personal information of 15 million customers, the vast majority of these customers being located in B.C. and Ontario. The compromised data potentially includes names, addresses, emails, passwords, birth dates, health card numbers, and lab test results of LifeLabs customers.
This recent incident is not the first in LifeLabs’ history. In 2013, the medical information of 16,000 LifeLabs patients in Kamloops, British Columbia went missing following the loss of a hard drive. A history of cybersecurity negligence could prove fateful in ongoing investigations into this years’ breach.
Following the announcement of the ransomware attack, LifeLabs published an open letter to their customers outlining the immediate impacts of the breach including details of customer data potentially affected, as well as the steps they have taken following the breach.
To mitigate the risks pending the attack, LifeLabs has:
LifeLabs’ privacy responsibilities are governed by Ontario’s Personal Health Information Protection Act (PHIPA), British Columbia’s Personal Information Protection Act (PIPA) and Saskatchewan’s Health Information Protection Act (HIPA), with each of those provincial health acts being heavily influenced by Canada’s national privacy legislature, the Personal Information Protection and Electronic Documents Act (PIPEDA). To keep things concise we will largely be focusing on LifeLabs’ responsibilities as it relates to PIPEDA.
Under PIPEDA, organizations that handle sensitive customer data are fully responsible for the protection and safe handling of their customer’s data. These organizations must monitor for breaches as part of their protection responsibilities and give proper notification if the breached information can cause a “real risk of significant harm (RROSH)”. Due to the potential identity theft risks should the compromised data be duplicated by the cybercriminals, the LifeLabs breach warrants the use of these reporting requirements.
There are specific clauses from Schedule 1 of PIPEDA that may apply to the LifeLabs breach:
This breach may prove fateful for the future of LifeLabs. There are currently a minimum of two class-action lawsuits in progress against them – the first from a Toronto lawyer on behalf of five plaintiffs for $1.13 billion in potential damages and an additional $10 million in punitive damages, and the second from a British Columbia citizen affected by the breach who is seeking general and punitive damages, as well as pre- and post-judgment interest for anyone affected within the province.
In addition to the current lawsuits, LifeLabs may face heavy fines under provincial acts influenced by PIPEDA. While the exact post-breach protective measures taken by LifeLabs and the cybersecurity experts they are working with are not known, if LifeLabs’ cybersecurity infrastructure prior to the breach was not sufficient for the requirements of the acts they are governed under they are likely to incur harsh penalties. Under British Columbia’s PIPA, organizations can be fined $100,000, and under Ontario’s PHIPA, these fines can be up to $500,000.
While the future of LifeLabs is not certain, it is important that anyone affected by the breach take any steps possible to protect themselves. Affected customers should take advantage of the insurance and protection offered by Lifelabs, change their passwords, and contact their financial service providers. If evidence of identity theft if found, affected customers should file a report with their local police force and contact the Canadian Anti-Fraud Centre.