Skip to main content

LifeLabs faulted for huge data breach by Ontario, B.C. privacy commissioners

The privacy commissioners of Ontario and British Columbia say the country’s largest medical laboratories failed to protect the personal health information of 15 million Canadian residents in last year’s data theft.

After a joint investigation, the two provincial privacy czars issued a statement Thursday saying that by not implementing reasonable safeguards to protect the data LifeLabs violated Ontario’s health privacy law, the Personal Health Information and Privacy Act (PHIPA), and B.C.’s personal information protection law, the Personal Information and Privacy Act (PIPA).

Among the findings was that LifeLabs didn’t have adequate information technology security policies and information practices in place. The Ontario privacy commissioner’s office also found that while LifeLabs has largely taken adequate steps to notify affected individuals of the breach, its process for notifying individuals of which specific elements of their own health information were compromised was inadequate.

However, the commissioners’ full report detailing how LifeLabs failed wasn’t released because LifeLabs claims that the information it provided to the commissioners is privileged or confidential. The commissioners reject these claims and say the full report will be published unless LifeLabs takes court action.

LifeLabs quickly issued a statement that did not refer to the dispute with the privacy commissioners. Instead, it said the company is reviewing the report. It also outlined several steps LifeLabs has taken since the breach, including appointing a chief information security officer (CISO), who, together with an expanded team, is leading a program of information security improvements. LifeLabs also named new chief privacy officers and chief information officers and says it has accelerated the company’s information security management program through an initial $50 million.

 

Related:

LifeLabs introduces new CISO

 

LifeLabs aims to achieve ISO 27001 certification, what it calls “a gold standard in information security management.”

“We continue to deploy cybersecurity firms to monitor the dark web and other online locations for information related to the cyber-attack,” the statement said. So far, it added, there hasn’t been a public disclosure of customer data from the attack.

“Since the breach,” the privacy commissioners acknowledged, “LifeLabs has, for the most part, taken reasonable steps to address the shortcomings in its information technology security measures.” But they still ordered the lab to do more.

These orders include improving specific practices regarding information technology security and formally putting in place written information practices and policies with respect to information technology security. They also demand the company ceases collecting specified information and to securely dispose of the records of that information which it has collected.

The Ontario commissioner also ordered LifeLabs to improve its process for notifying individuals of the specific elements of their personal health information which were the subject of the breach and to clarify and formalize its status with respect to health information custodians in Ontario with whom it has contracts to provide laboratory services.

LifeLabs performs over 100 million laboratory tests each year, with 20 million annual patient visits to its locations in the two provinces.

According to a chronology from the privacy commissioners, LifeLabs said it detected the cyberattack on October 28, 2019. A few days later it notified the offices of the two privacy commissioners that cyber criminals had penetrated the company’s systems, extracted data — including name, address, email, customer logins and passwords, health card numbers and lab tests — and demanded a ransom.

The lab results involved 85,000 Ontario customers that were done on or before 2016.

“An attack of this scale is extremely troubling,” outgoing Ontario privacy commissioner Brian Beamish said in a statement. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant  Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and healthcare organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”

B.C. privacy commissioner Michael McEvoy said in a statement he is deeply concerned about the attack. “The breach of sensitive personal health information can be devastating to those who are affected. Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”

In its statement, LifeLabs said that “what we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do. We have made a commitment through our partnership with experts, the health care sector, governments and IT companies, to become a global leader in protecting health care data.”



Udimi - Buy Solo Ads from IT World CanadaIT World Canada https://ift.tt/3dAJhgs
via IFTTT

Comments

Popular posts from this blog

9 VCs in Madrid and Barcelona discuss the COVID-19 era and look to the future

Spain’s startup ecosystem has two main hubs: Madrid and Barcelona. Most observers place Barcelona first and Madrid second, but the gap appears to close every year. Barcelona has benefitted from attracting expats in search of sun, beach and lifestyle who tend to produce more internationally minded startups. Madrid’s startups have predominantly been Spain or Latin America-focused, but have become increasingly international in nature. Although not part of this survey, we expect Valencia to join next year, as city authorities have been going all-out to attract entrepreneurs and investors. The overall Spanish ecosystem is generally less mature than those in the U.K., France, Sweden and Germany, but it has been improving at a fast clip. More recently, entrepreneurs in Spain have moved away from emulating success in pursuit of innovative technologies. Following the financial crisis, the Spanish government supported the creation of startups with the launch of FOND-ICO GLOBAL, a €1.5 billi

How to Stay Creative and Keep SEO in Mind

Information Technology Blog - - How to Stay Creative and Keep SEO in Mind - Information Technology Blog Search engine optimization (SEO) refers to customizing your website’s content to ensure that web browsers give your website a high SEO score. The sites with the highest SEO scores are featured on the search engine’s first page of search results for relevant searches.  71%  of the click-throughs happen with articles listed on the first page of results on the search engine. This means that if your website’s article is the second (or third, or fourth page), it’s less likely the search user will even see your article. You want your article to be ranking as close to the top of the first page of results as possible. In order to have a good SEO score your site’s content needs to feature keywords and relevant phrases. It must be optimized for easy navigation between pages. It also needs to be referenced via external links that drive traffic to your site. Incorporating all of these elem

Everything we know about HHS Protect, a secretive government project with Peter Thiel's Palantir that helps brief Trump's coronavirus task force

A secretive project at the US Department of Health and Human Services is working with technology companies to collect and analyze data related to the novel coronavirus .  Dubbed "HHS Protect," the effort tracks information from around the country about coronavirus case numbers, hospital capacity, and even supply chain issues.  HHS uses Palantir Technologies , a data firm cofounded by Peter Thiel, to distill that information for the White House coronavirus task force. Visit Business Insider's homepage for more stories . A secretive project at the US Department of Health and Human Services is working with technology companies to collect and analyze data related to the novel coronavirus.  Dubbed "HHS Protect," the effort includes roughly 2.5 billion pieces of data from healthcare providers, government officials, and labs around the country about coronavirus case numbers, hospital capacity, and even supply chain issues.  The goal is learn about the progress