LifeLabs breach broke Ontario privacy laws

LifeLabs signage is seen outside of one of the lab's Toronto locations, Tuesday, Dec. 17, 2019. (THE CANADIAN PRESS/Cole Burston)

A joint investigation by the privacy commissioners of Ontario and British Columbia says Lifelabs failed to put in place reasonable safeguards to protect the personal health information of millions of Canadians.

A statement released by the commissioners says the breach last year at LifeLabs, one of Canada's largest medical services companies, broke Ontario's health privacy law and B.C.'s personal information protection law.

The joint investigation found LifeLabs collected more personal health information than was necessary, failed to protect that data in its electronic systems and relied on inadequate information technology security policies.

Both offices have ordered LifeLabs to address the shortcomings through measures that include improving its security systems and creating written policies and practices regarding information technology security.

LifeLabs told regulators it detected a cyberattack on its computer systems on Oct. 28 and privacy officials in B.C. and Ontario were notified of the breach on Nov. 1 and 5.

The breach was determined to have affected millions of Canadians and the privacy commissioners announced their joint investigation in mid-December.