LifeLabs clients in B.C. and Ontario have filed notices of claim in the courts seeking to launch class-action lawsuits against the diagnostic testing firm after revelations that it suffered a data breach involving 15 million patients, mostly in those provinces.
The company revealed this week that it discovered its systems had suffered an unauthorized access and the intruder might have had access to names, addresses, email, logins, passwords, dates of birth and health-card numbers, as well as test results for 85,000 Ontario residents from 2016 and earlier.
In the notice of claim filed in B.C., retired computer technician Kenneth Morrison argues that LifeLabs “failed to implement sufficiently strong encryption and security safeguards to prevent the personal information from being subject to unauthorized access.”
The company “failed to treat privacy and security as its top priorities,” according to the claim, filed by Morrison’s lawyer, David Aaron, seeking to register the lawsuit as a class action for all of LifeLabs customers in B.C., which could be most British Columbians.
Health Minister Adrian Dix said LifeLabs, Canada’s largest private provider of medical tests, does about one-third of all diagnostic tests for the provincial health system, 34 million procedures in 2018, and the province has “very high expectations of LifeLabs as our partner.”
“The privacy aspects of our agreements with LifeLabs are very significant,” Dix said this week. “It is a major challenge in the world we live in.”
However, the delay in informing the public of the LifeLabs breach, which happened in October but wasn’t made public until Tuesday, indicates a need to tighten up Canadian rules for disclosure, according to a Simon Fraser University cybercrime expert, Richard Frank.
“A lot of things can happen in two months,” when members of the public are unaware of risks to their data, Frank said.
LifeLabs is now offering patients a security package that includes a year of free credit monitoring and identity-theft protection, but Frank, a LifeLabs client, said: “Had I known two months ago, I could have changed passwords.”
Dix said LifeLabs reported its data incursion to the province Oct 28. 1, and B.C. knew by Nov. 7 that data of British Columbians was involved.
He added that the only reason LifeLabs was granted a delay in disclosing the breach publicly “was to ensure that the information that hadn’t been compromised wouldn’t be compromised.”
Regulations in provincial policy manuals make “all employees, contractors and others” who have access to data, including personal information, responsible for its security. Security includes “protection of personal data, systems, documentation, computer-generated information and facilities from accidental or deliberate threats to integrity or availability,” according to the regulations.
However, Frank said some jurisdictions, such as the European Union through its General Data Protection Regulation and California with its Consumer Privacy Act, have tighter requirements for disclosure.
“We need something like that here,” Frank said.
Improving on data protection is becoming more critical as the technology we use, such as smartphones, generate enormous amounts of it, said Scott Morrison, chief technology officer for the digital security firm PHEMI Systems.
“People expose huge amounts of information as they go through their lives leaving behind this digital exhaust,” Morrison said.
The biggest mistake that large organizations make is to rely on the traditional “fortress model” of security in which “you have a strong wall around the inner keep,” using firewall devices, Morrison said, “and you assume your entire defensive posture is about keeping bad guys from getting in.”
Instead, companies should build compartments inside their data fortresses and adopt measures such as the encryption of stored data to protect it.