LifeLabs, Canada’s biggest medical testing laboratory, has decided to seek a court order to block the release of the investigation report by the Information and Privacy Commissioners of Ontario and British Columbia faulting the company for a 2019 privacy breach involving 15 million of its customers.
In a statement issued Wednesday, commissioners Patricia Kosseim of Ontario and Michael McEvoy of B.C. said they want to publish their full report into the LifeLabs data breach after releasing a summary on June 25th.
They noted that while LifeLabs has agreed to comply with their orders and recommendations thus far, it has challenged the release of the investigation report, claiming that some of the information it details to the commissioners is privileged or otherwise confidential. The commissioners dispute that claim.
Because the issue is now before the courts, the commissioners are refusing to comment further.
In their summary, the privacy commissioners said that, by not implementing reasonable safeguards to protect the data, LifeLabs violated Ontario’s health privacy law, the Personal Health Information and Privacy Act (PHIPA), and B.C.’s personal information protection law, the Personal Information and Privacy Act (PIPA).
Among the findings was that LifeLabs didn’t have adequate information technology security policies and information safeguard practices in place. The Ontario privacy commissioner’s office also found that while LifeLabs largely took adequate steps to notify affected individuals of the breach, its process for notifying individuals of which specific elements of their own health information were compromised was inadequate.
After that summary was released, LifeLabs quickly issued a statement that side-stepped the dispute with the privacy commissioners. Instead, it said the company is reviewing the report. It also outlined several steps LifeLabs has taken since the breach, including appointing a chief information security officer (CISO), who, together with an expanded team, is leading a program of information security improvements. LifeLabs also named new chief privacy officers and chief information officers and says it has accelerated the company’s information security management program through an initial $50 million.