Court Orders Release of Damning Report on LifeLabs Data Breach

An Ontario court has dismissed the final appeal by Canadian medical company LifeLabs Inc., bringing an end to its four-year effort to suppress a report on the 2019 data breach that compromised the personal information of millions of Canadians.

A joint report by the Privacy Commissioners of British Columbia and Ontario, completed in June 2020, revealed that LifeLabs had failed to implement adequate measures to safeguard client data and had collected more medical information than was necessary.

The report mandated that the company address several issues, including strengthening its cybersecurity team. According to the commissioners, LifeLabs has since complied with all requirements and recommendations.

Nonetheless, the company sought to block the report’s release, citing legal disputes and claims of solicitor-client privilege. The case reached the Ontario Court of Appeal, which ultimately rejected LifeLabs’ appeal.

Michael Harvey, the Information and Privacy Commissioner of British Columbia, remarked that the journey toward transparency and accountability had taken far too long, emphasizing the importance of companies learning from such failures.

His Ontario counterpart, Patricia Kosseim, noted that the court’s decision helps restore public trust in oversight mechanisms designed to hold organizations accountable.

In May of this year, citizens who filed claims as part of a class-action lawsuit against LifeLabs began receiving compensation. According to KPMG, the administrators recorded over 900,000 valid claims.

As part of a nationwide settlement in Canada, the court approved payouts of up to $9.8 million. The breach, which affected approximately 15 million clients, remains one of the largest in the history of Canadian healthcare.