The medical testing company hit in a cyberattack impacting the private data of millions of Canadians is taking B.C. and Ontario privacy commissioners to court to stop full publications of their report.
LifeLabs LP was hit by a ransomware attack last fall, impacting 15 million people.
A commissioners’ joint investigation found LifeLabs’ actions violated B.C.’s personal information protection law, concluding the company failed to take reasonable steps to protect personal health information.
The investigation also determined LifeLabs did not have adequate security policies in place and collected more personal information than “reasonably necessary.”
In June, the commissioners said publication of their full report was being held up by LifeLabs’ claims that information provided to the commissioners is privileged or otherwise confidential.
The commissioners rejected those claims June 25, saying they intend to publish their report publicly, unless LifeLabs took court action.
The full reports were due out this week.
But, the commissioners said July 29, while LifeLabs has since confirmed it would comply with all of the commissioners’ orders and the recommendation in the report, the company is seeking a court order preventing public release of the report.
A commissioner’s release said LifeLabs is claiming some of the information it provided to the commissioners is privileged or otherwise confidential, a claim with which the commissioners take issue.
The company July 27 filed a petition to prevent the release in B.C. Supreme Court. The document said LifeLabs lawyers engaged companies to create reports in anticipation of legal action.
It has since been hit with 11 class action suits and enquiries from federal, territorial, and provincial commissioners as to the effects of the attack on people in their jurisdictions.
“LifeLabs has expected all documents prepared for the dominant purpose of litigation to be privileged and confidential,” the document said.
The company maintained it would not produce documents of people it believes are covered by solicitor-client privilege. The commissioners continued to debate with the company what was covered by privilege with the company being told it could be charged for not producing materials, the document said.
The company has also asserted some information should not be released in the final report.
“LifeLabs asserted that release of the confidential information threatened the security position of its systems and could encourage future cyber-attacks,” the document said.
Further, the company said, “In Canada, solicitor-client privilege is more than a mere privilege. It is a ‘fundamental civil and legal right’ of confidentiality, non-compellability, and inadmissibility.”
LifeLabs said B.C.’s Office of the Information and Privacy Commissioner wrongly created a requirement for the company to prove its legal documents would not have been created in the absence of litigation
Ontario commissioner Patricia Kosseim and B.C. commissioner Michael McEvoy maintain that “public release of the joint investigative report is vital to bringing to light the underlying causes of the privacy breach and rebuilding public trust by providing a transparent account of their investigation and findings.”
The commissioners revealed last year cyber criminals penetrated LifeLabs’ systems, extracting data and demanding a ransom.
LifeLabs CEO Charles Brown said at the time the company retrieved the data by making payment.
“We did this in collaboration with experts familiar with cyberattacks and negotiations with cyber criminals,” he said in an open letter released in December 2019.
“I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyberattack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations,” Brown said.
After receiving the report in June (a summary of which the commissioners released publicly), LifeLabs released a statement noting changes it had instituted to protect health data.
Those include appointing chief information security, information and privacy officers; an initial investment of $50 million in information security management; hiring a third party firm to evaluate cyber-attack response, efficacy of security programs and capabilities, and make recommendations for further process enhancements; using cyber security firms to monitor the dark web and other online locations for information related to the cyber-attack; establishing an information security council with internal and external cyber security experts; strengthening cybercrime detection technology across the organization; and increasing organization wide privacy and security education.
As of late June, LifeLabs said, none of the stolen data had appeared anywhere.
The commissioners’ offices said they would continue to actively monitor the company’s progress towards full compliance.