“An attack of this scale is extremely troubling … This should serve as a reminder to all institutions, large and small, to be vigilant. Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and healthcare organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”
- Information and Privacy Commissioner of Ontario, Brian Beamish.
On October 28, 2019, LifeLabs detected a security breach that exposed the sensitive personal information of 15 million Canadians including their name, address, email, customer login and password, health card number and lab tests. You may have been personally affected by this breach.
LifeLabs chose to pay a ransom to recover the data but is still dealing with the fallout of the breach. Now that the privacy commissioner’s joint report was released, it found that LifeLabs did not reasonably protect the personal information of its customers. The report
calls the incident a "significant privacy breach" which violated Ontario's health privacy law and the Personal Health Information Protection Act (PHIPA). What can other Canadian businesses learn from this incident?
First, let’s consider which organizations and industries should pay attention to this warning:
- Health and medical practices. These organizations are obligated to know and follow the Privacy laws and regulations of their province (PHIPA) and how to appropriately use technology to comply with them.
- Any business that holds any confidential records of individuals (clients or employees) or businesses - names, addresses, credit card information, payroll information, etc. This information is valuable to hackers who will use it for identity theft or blackmail, or sell it on the dark web for others to do so.
“This investigation also reinforces the need for changes to B.C.’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”
To incentivize organizations that collect personal details to secure them properly, the European Union has already gone this direction with its General Data Protection Regulation (GDPR) introduced in 2018. We may see very similar changes to Canada’s privacy laws. To read more about what businesses need to know about Canada’s privacy laws, visit here. It is clearly important to ask the difficult question: If your business had a data breach next week and had to be transparent about your cybersecurity measures, how would you look? To discuss your Cyber Security, give us a call at 613-817-1212 or email us at [email protected]. LifeLabs had this to say in a statement: “What we have learned from last year’s cyberattack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do.” Thanks for the advice LifeLabs! Recap:- Now is the time to institute IT security and data protection policies
- Collect and store only necessary data
- Investing in Cyber Security is necessary and will save money and reputation in the long run
- Ensure you understand your data privacy obligations under the law