Milligan Jr., Hus win hardware at 2024 CFL awards
3h ago
Rolan Milligan Jr. needed to be convinced by his wife to attend the CFL awards and he's happy he listened. Milligan pick...
Seven months after the breach was reported, Saskatchewan Information and Privacy Commissioner Ronald Kruzeniski has published a withering report on a ransomware attack against LifeLabs.
The attack happened in October but was reported to the public and the privacy commissioner’s office in December. A ransomware attack against LifeLabs in Ontario resulted in the private information of 15 million people being compromised, including about 93,650 people from Saskatchewan.
LifeLabs paid the ransom and the information was returned. The company told the privacy commissioner that, among the Saskatchewan residents, most of the information was from the patient wait time system “SaveMySpot” app. That included things like names, email addresses, passwords, security questions and answers, telephone numbers, IP addresses, and login attempt information.
About 240 people from Saskatchewan had their information breached from lab testing with LifeLabs in other provinces. That information was a bit more extensive and included birth dates, health card numbers, and results of lab testing.
In the commissioner’s report, he talked about difficulties he had with getting fulsome and timely information from LifeLabs on the ransomware attack, as well as the company’s systems, policies and protocols. In the end, he had to make some of his findings based on a lack of information from the company.
Among the findings in the report, Kruzeniski said neither LifeLabs nor the health authority properly notified affected people of the privacy breach.
LifeLabs did make a public announcement about the breach in December and sent some people emails, but the emails didn’t have any details about what information might have been compromised. The company also said it didn’t have the ability to find out for sure for customers what information was compromised.
The SHA only reviewed LifeLabs’ public announcement and didn’t do anything else, according to the report.
The commissioner found through his investigation that LifeLabs didn’t properly protect the integrity or accuracy of customers’ personal health information.
Kruzeniski also found that LifeLabs didn’t have written security policies in place, which breached its agreement with the SHA.
The agreement states the SHA needed to have previously approved the company’s privacy breach protocols, but when the commissioner asked the SHA for LifeLabs’ protocols, it provided documents that it received from LifeLabs the same day.
The commissioner also found LifeLabs didn’t show it had reasonable safeguards in place at the time of the cyberattack, and it didn’t show that it had done enough to prevent similar breaches from happening in the future.
In the findings that group LifeLabs and the SHA together, Kruzeniski found they hadn’t demonstrated they had properly investigated and hadn’t done enough to protect information from future breaches. The report also found neither produced an adequate investigation report.
The recommendations listed at the end of Kruzeniski’s report include several to improve LifeLabs’ policies and procedures — such as updating its patient wait time system so it can authenticate people’s identity — and that it formalize, update and get approved from the SHA written security policies.
The commissioner also recommended LifeLabs and the SHA provide cybersecurity protection to those affected for a minimum of five years, instead of the one year initially offered.
Kruzeniski also recommended the SHA undertake an audit of LifeLabs’ systems and response to the breach to make sure that it has been fully addressed and that the company is in compliance with HIPA and its agreement with the SHA.
The commissioner added a caveat: If LifeLabs either doesn’t co-operate or the SHA finds its safeguards aren’t enough, then the SHA should terminate its agreement with LifeLabs.
He also recommended the province change its licensing laws to require that medical labs abide by HIPA, and that it specifically amend LifeLabs’ licences to require it to abide by HIPA.
SHA apology
The Sask. Health Authority is apologizing to those people in Saskatchewan who were affected by this privacy breach. It’s also acknowledging that it should have been more diligent in getting information on the breach from LifeLabs when it happened.
It said in an emailed statement that the authority intends to “learn and improve from this event”.
The SHA said it’s talking with LifeLabs about adding more clarity in its agreement around policies and procedures to keep patient information safe, and it is also talking with the company about adding more clarity in the agreement about privacy, including having staff sign confidentiality agreements and get privacy training.
The authority’s statement said it’s reviewing the company’s privacy breach management protocols and privacy and security policies and procedures.
The SHA also said it’s disappointed that LifeLabs didn’t give over information about the privacy breach when the company learned of it.
“The SHA expects all contracted providers that would have access to patient’s personal health information to take the necessary steps to safeguard that information, and respond in a timely and appropriate manner if a breach occurs.”
When asked how the authority can justify continuing its work with LifeLabs after the problems brought to light by the commissioner’s report, the authority replied:
“The SHA is working with LifeLabs to address both the lack of clarity in the contract about the responsibility and accountability for the protection of personal health information. The SHA expects the contractor to provide information as requested, and to work with us as we take the steps necessary to ensure personal health information is protected.”
Response from LifeLabs
In response to an inquiry, LifeLabs’ Senior Vice-President of Corporate Affairs, Strategy and Innovation, Chris Carson emailed a statement.
Carson said the company can’t change what happened in the breach, but it is working on enhancing its information security systems.
“We have committed to investing an initial $50 million to adhere to a gold standard in information security management that is achieved by only a small number of organizations,” said Carson in the statement.
He said the company values its partnership with the SHA, and will work closely with it to meet its needs and so it can have confidence LifeLabs’ systems are “safe and secure” going forward.
The Ministry of Health says the commissioner has raised some important issues, but would only say that it would support the SHA as it reviews the recommendations.