A medical company hit by an October ransomware data privacy breach affecting 15 million Canadians is again named in a B.C. ministerial order as a company that can share British Columbians’ data.
The health data was hit by a cyberattack on LifeLabs, Canada’s largest medical laboratory diagnostic testing services company.
But, say observers, there is no issue for British Columbians to worry about as any liability rests with the government and not LifeLabs.
“The B.C. government understands the importance of protecting British Columbians’ personal information and has been working with LifeLabs to ensure the continued security of the information in our health information banks,” the Ministry of Health said in a statement.
“LifeLabs has taken several preventive and remedial measures to address the cyber-attack of October 2019. Our understanding is that the personal health information in B.C. health information banks was not compromised by the breach,” the ministry said.
The ministry said the order adds nurse practitioners as those allowed access to information banks.
“LifeLabs has been on the list of sources for personal information in B.C. health information banks for several years,” the ministry said.
And, said LifeLabs communications manager Roy Saad when asked what assurance British Columbians can have that data is secure, “All lab providers in British Columbia are required to report lab test results into the Provincial Laboratory Information Solution. This system has been in place for many years. LifeLabs does not manage or operate the system.”
Health Minister Adrian Dix made the order under the E-Health (Personal Health Information and Privacy) Act April 9. It was posted online April 15. The order is similar to one that predates the COVID-19 crisis.
It allows for continued use of a health information repository that has existed for some time. Information to be collected there includes peoples’ demographic information, laboratory order information, laboratory specimen information, and laboratory test results Information.
B.C. Civil Liberties Association staff lawyer Meghan McDermott was doubtful the new order is pandemic-related.
Subject to approval by a stewardship committee, the collected information may be used inside or outside of Canada.
Such sharing already rang some alarm bells following relaxation of B.C. privacy laws on sharing health data March 26 as Minister of Citizens Services Anna Kang ordered (https://bit.ly/3arGh5q) that people’s health information might be shared with others inside and outside of Canada.
Information sources set out in the new order include:
• the Ministry of Health;
• all provincial health authorities;
• denominational hospitals;
• BC Biomedical Laboratories Ltd; *
• Okanagan Pathology Group;
• LifeLabs BC LP;
• Canadian Blood Services - Societe Canadienne du Sang, and
• the Forensic Psychiatric Commission.
Information in the repository may be disclosed to the ministry, health authorities, doctors in private practice and diagnostic services and Canadian Blood Services,
Data from Okanagan Pathology Group and LifeLabs can be collected through their common service provider, Excelleris Technologies LP
LifeLabs is Canada's largest provider of general diagnostic and specialty laboratory testing services. It has four core divisions: LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical and Excelleris (a LifeLabs division).
B.C.’s Office of the Information and Privacy Commissioner said the order makes minor amendments to a previous one and shouldn’t be of concern.
“ I can’t discern any changes between the 2019 order and this new iteration that may have been generated from the ransomware breach last year that LifeLabs suffered,” she said, adding “LifeLabs and other companies whose business models that collect personal health information must do better with respect to cybersecurity.”
Further, McDermott said, as the repository is controlled b y the Ministry of Health, the government would be liable for any privacy breach of health data.
LifeLabs reported the potential attack Nov. 1, spurring an investigation by the privacy commissioners of B.C. and Ontario, it was announced Dec. 17.
BC Freedom of Information and Privacy Association president Mike Larsen said “the LifeLabs data breach was massive and hugely impactful,” and remains watched by observers.
“That said, LifeLabs continues to operate, and it collects and retains vast quantities of personal health information. While this remains the case, we can probably expect ministerial orders regarding the (repository) to continue to list LifeLabs as a source of personal health information,” Larsen said.
“This is especially the case in the context of the current pandemic, when the (repository) is likely seeing a lot of use by public health officials. I can’t see a situation where the company could continue to do what it does but simultaneously be excluded from the repository.”
Repository information may be disclosed to the Ministry of Health or the Provincial Health Services Authority for inclusion in the BC-Yukon section of the Panorama Pan-Canadian Public Health Surveillance System.
That last system’s creation to support public health professionals across the country to manage cases of reportable communicable diseases and the delivery and tracking of vaccines came about after the 2003 SARS crisis as part of new public health initiatives.
The ministry said the province’s service agreements with contracted agencies follow procurement rules, including both privacy protection and security schedules clearly setting out requirements by which contractors must abide.
The B.C. government is committed to strong privacy and security controls and we expect our contracted agencies to do the same,” the ministry statement said. “If the Province receives any evidence that a service provider is non-compliant with any terms of their agreement, the service provider must then conduct an investigation or cooperate with the government's investigation, depending on the circumstances.”
LifeLabs LP in February initiated court action against the Information and Privacy Commissioner for British Columbia claiming the commissioner cannot compel the firm to hand over a third-party report into a cyberattack due to solicitor-client privilege.
LifeLabs claims the commissioner is investigating the hack and sought a report by cybersecurity firm CrowdStrike Services Inc. that had been commissioned by LifeLabs’ counsel.