The long-awaited investigation into the 2019 LifeLabs data breach, which compromised the personal health information of up to 15 million Canadians, has finally been made public after Ontario’s Court of Appeal dismissed the company’s attempt to prevent its release.
The joint report by the privacy commissioners of Ontario and British Columbia, completed in June 2020, found that LifeLabs failed to take reasonable steps to secure client data while collecting more personal health information than was “reasonably necessary.”
Key Findings and Compliance Measures
The report outlined critical lapses in LifeLabs’ data protection measures and ordered the company to address issues such as strengthening its security team. According to the privacy commissioners, LifeLabs has since complied with all recommendations and orders outlined in the report.
However, B.C. Information and Privacy Commissioner Michael Harvey expressed concern over the delayed accountability process, saying:
“The road to accountability and transparency has been too long for the victims of the data breach. LifeLabs’ failure to implement adequate safeguards violated patients’ trust, exposing them to unacceptable risks.”
Ontario Information and Privacy Commissioner Patricia Kosseim echoed these sentiments, adding:
“This decision helps restore public trust in the oversight mechanisms designed to hold organizations accountable for protecting personal information.”
Litigation and Court Decisions
LifeLabs cited litigation and solicitor-client privilege to block the report’s publication, prompting opposition from both privacy commissioners. Following a judicial review and subsequent appeals, the Ontario Court of Appeal dismissed LifeLabs’ challenge, paving the way for the report’s release.
Class-Action Settlement
In May 2024, Canadians impacted by the data breach began receiving compensation as part of a Canada-wide class-action settlement. More than 900,000 valid claims were approved, with a total settlement of up to $9.8 million.
Impact and Lessons Learned
The breach, which allowed hackers to access sensitive personal and health information, has underscored the critical importance of robust data security measures. Commissioner Harvey emphasized the need for transparency, stating:
“To learn from mistakes, we need to share them.”
This case serves as a stark reminder to organizations of the vital role of accountability and rigorous safeguards in protecting public trust.