LifeLabs ordered to improve online security after data breach


The information and privacy commissioners of Ontario and British Columbia in Canada have told LifeLabs to implement a series of measures to overcome shortcomings in its computer systems.

The orders follow a joint investigation finding the country’s largest provider of general health diagnostic and speciality laboratory testing services failed to protect the personal health information of millions of Canadians. A cyber-attack on LifeLabs last year resulted in a privacy breach.

The commissioners say their investigation showed the company failed to take reasonable steps to protect personal health information in its electronic systems; failed to have adequate information technology (IT) security policies in place; and collected more personal health information than was reasonably necessary.

Among measures the commissioners ordered are that LifeLabs improves specific IT security practices; has a written IT security policy; stops collecting specified information; and securely disposes of the records of information it has collected.

The orders are aimed at ensuring a data breach does not happen again, said British Columbia’s information and privacy commissioner Michael McEvoy.

In response, LifeLabs said it has appointed a chief information security officer who, with an expanded team, is improving information security; the company’s information security management programme has been enhanced through an initial C$50m (US$32.7m, €37.0m) investment; and cybercrime detection technology has been strengthened across the company.

LifeLabs added cyber security firms it has employed to monitor the dark web and other online locations have found no public disclosure of customer data. Individuals whose personal health information was impacted by the cyber-attack have been notified. All those customers live in Ontario province.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.