A long-withheld investigation into a 2019 hacking at LifeLabs Inc. that compromised millions of Canadians' health data has finally been made public after an Ontario court dismissed the company's appeal to prevent its release.
A statement from the privacy commissioners of both Ontario and British Columbia says their joint report, completed in June 2020, found that LifeLabs "failed to take reasonable steps" to protect clients' data while collecting more personal health information than was "reasonably necessary."
The report ordered LifeLabs to address a number of issues such as appropriately staffing its security team, and the commissioners' statement says the company complied with all of the orders and recommendations.
LifeLabs had cited litigation and solicitor-client privilege to prevent the document's publication, but this was opposed by the commissioners' offices.
The company then sought a judicial review in Divisional Court in Ontario before the case made its way to the Ontario Court of Appeal, where LifeLabs' appeal was dismissed.
B.C. Information and Privacy Commissioner Michael Harvey says in a statement that "the road to accountability and transparency has been too long" for the victims of the data breach.
"LifeLabs' failure to put in place adequate safeguards to protect against this attack violated patients' trust, and the risk it exposed them to was unacceptable," Harvey says. "When this happens, it is important to learn from past mistakes so others can prevent future breaches from happening.
"But to learn from lessons, we need to share them."
Ontario Information and Privacy Commissioner Patricia Kosseim says in the statement that she is pleased with the court's decision to uphold the decision by her office "to help restore public trust in the oversight mechanisms designed to hold organizations accountable."
In May, Canadians who applied to be part of a class-action lawsuit against LifeLabs began receiving cheques and e-transfers, with administrator KPMG saying more than 900,000 valid claims were received.
An Ontario court had approved a total Canada-wide settlement of up to $9.8 million in the data breach, which allowed hackers to access the personal information of up to 15 million customers.
