15 Million Health Records Leaked – Is LifeLabs Doing Enough?

In October 2019, LifeLabs – Canada’s largest diagnostic test provider – disclosed that they fell victim to a malicious ransomware attack, causing the potential leak of sensitive personal information of 15 million customers, the vast majority of these customers being located in B.C. and Ontario. The compromised data potentially includes names, addresses, emails, passwords, birth dates, health card numbers, and lab test results of LifeLabs customers.

This recent incident is not the first in LifeLabs’ history. In 2013, the medical information of 16,000 LifeLabs patients in Kamloops, British Columbia went missing following the loss of a hard drive. A history of cybersecurity negligence could prove fateful in ongoing investigations into this years’ breach.

What Is Being Done?

Following the announcement of the ransomware attack, LifeLabs published an open letter to their customers outlining the immediate impacts of the breach including details of customer data potentially affected, as well as the steps they have taken following the breach.

To mitigate the risks pending the attack, LifeLabs has:

• Consulted cybersecurity experts to isolate and secure the affected systems and determine the scope of the breach
• Implemented unspecified upgrades to the cybersecurity of their systems 
• Paid the demanded ransom to have the encrypted data released
• Opened an investigation with law enforcement
• Offered cybersecurity protection services to all of their customers, including identity theft and fraud protection insurance

LifeLabs’ PIPEDA Responsibilities

LifeLabs’ privacy responsibilities are governed by Ontario’s Personal Health Information Protection Act (PHIPA), British Columbia’s Personal Information Protection Act (PIPA) and Saskatchewan’s Health Information Protection Act (HIPA), with each of those provincial health acts being heavily influenced by Canada’s national privacy legislature, the Personal Information Protection and Electronic Documents Act (PIPEDA). To keep things concise we will largely be focusing on LifeLabs’ responsibilities as it relates to PIPEDA.

Under PIPEDA, organizations that handle sensitive customer data are fully responsible for the protection and safe handling of their customer’s data. These organizations must monitor for breaches as part of their protection responsibilities and give proper notification if the breached information can cause a “real risk of significant harm (RROSH)”. Due to the potential identity theft risks should the compromised data be duplicated by the cybercriminals, the LifeLabs breach warrants the use of these reporting requirements.

There are specific clauses from Schedule 1 of PIPEDA that may apply to the LifeLabs breach:

• Clause 4.7: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information”
• Clause 4.7.1: “The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.”
• Clause 4.7.2: “The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.”
• Clause 4.7.3: “The methods of protection should include
  • (a) physical measures, for example, locked filing cabinets and restricted access to offices;
  • (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and 
  • (c) technological measures, for example, the use of passwords and encryption.”

LifeLabs Facing Lawsuits Following the Breach

This breach may prove fateful for the future of LifeLabs. There are currently a minimum of two class-action lawsuits in progress against them – the first from a Toronto lawyer on behalf of five plaintiffs for $1.13 billion in potential damages and an additional $10 million in punitive damages, and the second from a British Columbia citizen affected by the breach who is seeking general and punitive damages, as well as pre- and post-judgment interest for anyone affected within the province.

In addition to the current lawsuits, LifeLabs may face heavy fines under provincial acts influenced by PIPEDA. While the exact post-breach protective measures taken by LifeLabs and the cybersecurity experts they are working with are not known, if LifeLabs’ cybersecurity infrastructure prior to the breach was not sufficient for the requirements of the acts they are governed under they are likely to incur harsh penalties. Under British Columbia’s PIPA, organizations can be fined $100,000, and under Ontario’s PHIPA, these fines can be up to $500,000.

While the future of LifeLabs is not certain, it is important that anyone affected by the breach take any steps possible to protect themselves. Affected customers should take advantage of the insurance and protection offered by Lifelabs, change their passwords, and contact their financial service providers. If evidence of identity theft if found, affected customers should file a report with their local police force and contact the Canadian Anti-Fraud Centre.