Vancouver, December 18, 2019 – Yesterday, LifeLabs announced a data breach that affects 15 million Canadians. The breach, which primarily impacts clients in BC and Ontario, includes highly sensitive personal information, like medical diagnostic test results and genetic information.
The information was breached on October 28, 2019. LifeLabs has paid an unreported sum to cybercriminals for the return of the data, but it is unknown if copies of the data were made by the cybercriminals. LifeLabs is offering one year of cyber protection monitoring and security insurance to its customers.
This latest breach means that, in a period of just one year, every Canadian has likely been the victim of a data breach or knows someone who has.
According to figures released by the Office of the Privacy Commissioner of Canada, 28 million Canadians have been the subject of a data breach since November 1, 2018. With an additional 15 million Canadians impacted by the LifeLabs breach, that means there were more than 43 million incidents between November 2018 and November 2019.
This situation represents a crisis for privacy and data protection in Canada.
“Canadian privacy laws, both federal and provincial, are simply inadequate,” says Joyce Yan, FIPA’s Interim Executive Director. “They do not and will not protect Canadians from the potential harms that come from our increasingly digital world. Urgent law reform is needed. Every privacy commissioner in Canada needs to have investigatory, order-making, and fining power. Data breaches must be reported to them immediately.”
While breach notification became mandatory at the federal scale last year, it is still not a requirement provincially. As well, it is not required that companies notify individuals when their data has been breached. Public bodies are not required to report breaches at all.
“Private companies must face repercussions for negligent data handling practices,” says Yan. “These should include financial penalties for the company, financial penalties for individuals at the company, possible charges of criminal negligence, and financial compensation for those impacted.”
During an interview, LifeLabs CEO Charles Brown stated that he did not know if the data that was breached was even encrypted.
“This is an unacceptable and irresponsible position for leadership to hold. The head of a company that is entrusted with processing data that relates to the intimate aspects of our lives—our health, wellness, and biology—must be informed about the security measures taken to protect that information,” says Yan.
The Information and Privacy Commissioners for Ontario and BC are investigating the breach and will release a report at that investigation’s conclusion.
Joyce Yan, Interim Executive Director
BC Freedom of Information and Privacy Association
Email: fipa (at) fipa.bc.ca