A joint investigation by the privacy commissioners of Ontario and British Columbia says Lifelabs failed to put in place reasonable safeguards to protect the personal health information of millions of Canadians.
A statement released Thursday by the commissioners says the breach last year at LifeLabs, one of Canada's largest medical services companies, broke Ontario's health privacy law and B.C.'s personal information protection law.
The joint investigation found LifeLabs collected more personal health information than was necessary, failed to protect that data in its electronic systems and relied on inadequate information technology security policies.
Both offices have ordered LifeLabs to address the shortcomings through measures that include improving its security systems and creating written policies and practices regarding information technology security.
LifeLabs revealed last November that hackers gained access to the personal information of up to 15 million customers, almost all in Ontario and B.C., and that the company was forced to pay a ransom to retrieve and secure the data.
The breach was determined to have affected millions of Canadians and the privacy commissioners announced their joint investigation in mid-December.
Ontario commissioner Brian Beamish says the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.
"I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation," Beamish says in the statement.
Michael McEvoy, information and privacy commissioner of B.C. said the failure by LifeLabs to properly protect the personal health information is unacceptable.
"LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm. The orders made are aimed at making sure this doesn't happen again."
LifeLabs issued a statement saying it has taken steps to accelerate its strategy to strengthen its information security systems, including appointing a chief information security officer to lead the improvements.
The company said it has accelerated its information security management program with an initial $50-million investment and has hired a third-party service to evaluate its response.
"What we have learned from last year's cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do," LifeLabs says in its statement.
A proposed class-action lawsuit was filed against the company last year over the data breach.
The statement of claim filed in Ontario accused the company of negligence, breach of contract and violating their customers' confidence as well as privacy and consumer protection laws.
