The information and privacy commissioners of Ontario and British Columbia in Canada have told LifeLabs to implement a series of measures to overcome shortcomings in its computer systems.
The orders follow a joint investigation finding the country’s largest provider of general health diagnostic and speciality laboratory testing services failed to protect the personal health information of millions of Canadians. A cyber-attack on LifeLabs last year resulted in a privacy breach.
The commissioners say their investigation showed the company failed to take reasonable steps to protect personal health information in its electronic systems; failed to have adequate information technology (IT) security policies in place; and collected more personal health information than was reasonably necessary.
Among measures the commissioners ordered are that LifeLabs improves specific IT security practices; has a written IT security policy; stops collecting specified information; and securely disposes of the records of information it has collected.
The orders are aimed at ensuring a data breach does not happen again, said British Columbia’s information and privacy commissioner Michael McEvoy.
In response, LifeLabs said it has appointed a chief information security officer who, with an expanded team, is improving information security; the company’s information security management programme has been enhanced through an initial C$50m (US$32.7m, €37.0m) investment; and cybercrime detection technology has been strengthened across the company.
LifeLabs added cyber security firms it has employed to monitor the dark web and other online locations have found no public disclosure of customer data. Individuals whose personal health information was impacted by the cyber-attack have been notified. All those customers live in Ontario province.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.