LifeLabs breach highlights data protection crisis in Canada

Vancouver, December 18, 2019 –  Yesterday, LifeLabs announced a data breach that affects 15 million Canadians. The breach, which primarily impacts clients in BC and Ontario, includes highly sensitive personal information, like medical diagnostic test results and genetic information.

The information was breached on October 28, 2019. LifeLabs has paid an unreported sum to cybercriminals for the return of the data, but it is unknown if copies of the data were made by the cybercriminals. LifeLabs is offering one year of cyber protection monitoring and security insurance to its customers.

This latest breach means that, in a period of just one year, every Canadian has likely been the victim of a data breach or knows someone who has.

According to figures released by the Office of the Privacy Commissioner of Canada, 28 million Canadians have been the subject of a data breach since November 1, 2018. With an additional 15 million Canadians impacted by the LifeLabs breach, that means there were more than 43 million incidents between November 2018 and November 2019.

This situation represents a crisis for privacy and data protection in Canada.

“Canadian privacy laws, both federal and provincial, are simply inadequate,” says Joyce Yan, FIPA’s Interim Executive Director. “They do not and will not protect Canadians from the potential harms that come from our increasingly digital world. Urgent law reform is needed. Every privacy commissioner in Canada needs to have investigatory, order-making, and fining power. Data breaches must be reported to them immediately.”

While breach notification became mandatory at the federal scale last year, it is still not a requirement provincially. As well, it is not required that companies notify individuals when their data has been breached. Public bodies are not required to report breaches at all.

“Private companies must face repercussions for negligent data handling practices,” says Yan. “These should include financial penalties for the company, financial penalties for individuals at the company, possible charges of criminal negligence, and financial compensation for those impacted.”

During an interview, LifeLabs CEO Charles Brown stated that he did not know if the data that was breached was even encrypted.

“This is an unacceptable and irresponsible position for leadership to hold. The head of a company that is entrusted with processing data that relates to the intimate aspects of our lives—our health, wellness, and biology—must be informed about the security measures taken to protect that information,” says Yan.

The Information and Privacy Commissioners for Ontario and BC are investigating the breach and will release a report at that investigation’s conclusion.

Contact:

Joyce Yan, Interim Executive Director

BC Freedom of Information and Privacy Association

Email: fipa (at) fipa.bc.ca

Phone:  604-739-9788

-30-

BC Government has big surplus, but no plans to compensate victims of PharmaNet breach

MEDIA RELEASE

BC Government has big surplus, but no plans to compensate victims of PharmaNet breach

FIPA urges the Ministry of Health to pick up ID theft mitigation costs

Vancouver, February 20, 2017 – After the recent PharmaNet privacy breach, which victimized 7,500 British Columbians, it is astounding that the Ministry of Health has not come forward to offer compensation to those affected, especially since the BC government is sitting on a surplus in the billions of dollars.

The BC Freedom of Information and Privacy Association (FIPA) has sent a letter to Health Minister Terry Lake strongly urging his ministry to cover the costs these victims will have to incur resulting from the failure to adequately protect senstive personal information.

After the breach was discovered, the Ministry sent a letter to the victims advising that “the information gathered could possibly be used as a starting point for identity theft” and encouraging them to engage “the services of a credit monitoring company” as “the information gathered could possibly be used as a starting point for identity theft.” Such services cost money and are far from free.

In their last PharmaNet breach in 2014, the Ministry’s notice to those affected included an offer to pick up  the costs of the recommended ID theft mitigation measures. But for whatever the reason, they have failed to do so this time. This is inexcusable given that the Premier has recently stated that the government has a surplus in the billions that will be returned to taxpayers.

FIPA hopes the Minister will see fit to do what is right for the 7500 innocent victims in this case.

-30-

Contact:

Vincent Gogolek, Executive Director
BC Freedom of Information and Privacy Association
vincent@fipa.bc.ca | (o) 604-739-9788 | (c) 604-318-0031

“Is an investigation ever really closed?” asks BC FIPA

Many questions remain after Commissioner addresses FOI complaint relating to controversial Ministry of Health firings

VANCOUVER, September 10, 2015 – The BC Freedom of Information and Privacy Association (FIPA) is raising concerns that RCMP or other files could be left open indefinitely, thereby avoiding requests under the Freedom of Information and Protection of Privacy Act. This follows Information and Privacy Commissioner Elizabeth Denham’s finding that it was “not unreasonable” for the BC government to believe an RCMP file was not really closed, because it would be reopened “if and when” the government’s own related investigation was completed.

The RCMP file in question concerned the Ministry of Health’s controversial firing of eight researchers and employees in 2012.

Responding to a FOI request from FIPA, the BC government claimed an RCMP investigation could be harmed by releasing the requested records. The RCMP sent an email supporting the government’s position, but after the hearing, and before the OIPC made their decision, the RCMP closed the file and told the BC government that it would be reopened “if and when” the latter completed their investigation into the matter.

Though FIPA was ultimately successful in forcing the Ministry of Health to release more records, the government’s failure to inform the OIPC of the change in circumstances could have led to a different—and unfair—outcome.

Unfortunately, Commissioner Denham, despite finding that the RCMP email about the closing of the file raised “legitimate questions” found that it was reasonable for the government to have considered the case open. In her letter responding to FIPA’s concerns, she wrote that the government had a “reasonable belief” that the RCMP’s concerns about the release of records under FOI were still valid.

“The Commissioner’s response leaves a number of concerns unanswered,” said FIPA Executive Director Vincent Gogolek. “The most important is that there does not seem to be any clear point at which you can say an investigation is over for FOI purposes.”

“This ‘no harm, no foul’ finding leaves a great deal of uncertainty about when an investigation can be finally defined as concluded. FIPA will be raising these concerns and some possible solutions with the Legislative Committee reviewing the Act later this fall.”

– 30 –

Contact:

Vincent Gogolek, Executive Director
BC Freedom of Information and Privacy Association
vincent@fipa.bc.ca | (o) 604-739-9788 | (c) 604-318-0031

Submissions for OIPC Hearing on Ministry of Health Firings

Below are the submissions and supporting affidavits from FIPA and the BC Government in the Office of the Information and Privacy Commissioner (OIPC) Hearing in March 2014, which resulted in Order F14-45.

Submissions:

FIPA intial submissions

FIPA reply submission

BC Government reply submission

BC Government initial submission

Affidavits:

Taylor Affidavit

Johnson Affidavit

Madden Affidavit

Email from Sgt Cowan RCMP Exhibit A