Getty Images

Inadequate Security, Policies Led to LifeLabs Data Breach of 15M Patients

An audit into LifeLab’s 2019 massive data breach by B.C. and Ontario privacy commissioners found the testing giant collected more PHI than necessary and lacked adequate security policies and procedures to protect patient data.

Ontario and British Columbia Information and Privacy Commissioners have concluded LifeLabs failed to protect the personal health information of the 15 million patients impacted by its 2019 systems breach, due to its failure to implement reasonable security safeguards and policies. 

While LifeLabs is a Canadian company, the audit findings can shed light on key areas US providers can focus to bolster their own security programs. 

In December 2019, LifeLabs began notifying patients that its computer systems were hit with a cyberattack that was discovered on November 1. The investigation that followed determined the hack included patients’ lab results, some health card information, contact details, emails, login information, and dates of birth. The notification did not detail when the initial access occurred.  

What’s more, LifeLabs paid the threat actors to retrieve the stolen data, after collaborating with cybersecurity experts and negotiating with the cybercriminals. The incident was the second-largest healthcare data breach of 2019

While LifeLabs fixed the system issues that led to the breach, patients soon filed several lawsuits against the testing giant was negligent in its failures to adequately safeguard patient data, while violating consumer and privacy protection laws. The patients are asking for $1.1 billion in compensation. 

An investigation was also launched by Ontario and British Columbia Information and Privacy Commissioners to address those claims and determine the actions that led to the breach. The audit showed LifeLabs failed to take reasonable steps to protect health information stored in its systems. 

Further, LifeLabs lacked the adequate information technology security policies and information practices, while collecting more personal health information than was reasonably necessary. Officials said those actions were in violation of the country’s health privacy laws. 

The commissioners did find that LifeLabs took reasonable steps to contain and investigate the breach and have also taken reasonable steps to address shortcomings in its security. In its own release, LifeLabs officials stressed they’ve taken steps to “accelerate its strategy” to enhance its security program. 

Since the incident, LifeLabs appointed a chief information security officer, chief privacy officer, and chief information officer, while enhancing its information security management program with an initial investment of $50 million. The vendor also established an information security council, made up of internal and external cybersecurity leaders. 

LifeLabs also employed a third-party professional services firm to evaluate its cyberattack response and efficacy of its security program, as it continues to leverage outside cybersecurity teams to monitor the dark web and other online information related to the cyberattack 

Lastly, the vendor implemented additional cybercrime detection technology across the enterprise, and its workforce will participate in annual privacy and security awareness and training programs. 

Despite these efforts, the commissioners said LifeLabs has not gone far enough, including its notification processes. While its response to the breach was adequate, “its process for notifying individuals of which specific elements of their own health information were compromised was inadequate.” 

LifeLabs also needs to clarify the terms under which it provides laboratory services to other health information entities. The commissioners ordered LifeLabs to improve specific practices for its IT security, including formally putting into place written IT security practices and policies. 

The commissioners also ordered LifeLabs to stop collecting specified data and securely dispose of records of that information already collected. LifeLabs must improve its notification processes, along with clarifying and formalizing its status in respect to other healthcare entities to which their contracted for lab services. 

The commissioners also recommended LifeLabs consult with an independent third-party firm on whether a longer period of credit monitoring service would better benefit its breach victims. 

The full report has not yet been publicly released as LifeLabs claims some information from the report is privileged or confidential. However, the commissioners found the vendor has not proven those claims and will publish the report in the near future unless “LifeLabs decides to try to get a court ruling that the information is privileged or confidential.” 

“This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks,” Brian Beamish, Information and Privacy Commissioner of Ontario, said in a statement. “I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation.” 

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” Michael McEvoy, Information and Privacy Commissioner of British Columbia, said in a statement. “The orders made are aimed at making sure this doesn’t happen again.”

Next Steps

Dig Deeper on HIPAA compliance and regulation