LIFELABS on Thursday said in a statement that it has received the joint Investigation Report from the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner of British Columbia regarding the cyber-attack late last year and is reviewing the report’s findings.
It said: “From the beginning, LifeLabs has committed to being open and transparent and we will continue to follow these principles as we work together on a path forward. We thank the Commissioners, Mr. Michael McEvoy and Mr. Brian Beamish, and their offices for their work.
“On the day we announced the cyber-attack last year, we made a commitment to our customers that we would learn and work hard to earn back their trust. We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon.
“As we shared with our customers in early June, we have taken a number of steps to accelerate our strategy to further enhance and strengthen our information security systems:
- We have appointed a Chief Information Security Officer (CISO), who together with an expanded team, is leading our program of information security improvements;
- We have welcomed two new leaders to the LifeLabs team in the roles of Chief Privacy Officer and Chief Information Officer. Both leaders bring substantial experience in cybersecurity and privacy protections, strengthening our practices across the organization;
- We have enhanced and accelerated our Information Security Management program through an initial $50 million investment, backing our plan to achieve ISO 27001 certification – a gold standard in information security management that is achieved by only a small number of organizations;
- We have engaged an independent third-party professional services firm to objectively evaluate the response to the cyber-attack, efficacy of our security programs and capabilities, and make recommendations for further process enhancements;
- We continue to deploy cyber security firms to monitor the dark web and other online locations for information related to the cyber-attack. To date, no public disclosure of customer data from the attack has been identified.
- We established an Information Security Council with internal and external cyber security experts who will regularly report to our CEO and the Board of Directors on information security practices and protocols;
- We have implemented strengthened cybercrime detection technology across the organization;
- Our teams, organization-wide, will participate in annual security and privacy awareness and training programs.
“Following the cyber-attack last year, we provided information to all Canadians, including BC and Ontario residents, in our public announcement on December 17, 2019, as well as through significant investments in call centre personnel, a microsite, and advertisements in many local newspapers. We also reached out to customers registered on our online portals to encourage them to reset their password, as a best practice. Over the last several months, we have also worked to notify customers whose personal health information was impacted by the cyber-attack; as reported in our public announcement these customers were limited to Ontario residents.
“What we have learned from last year’s cyber-attack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do. We have made a commitment through our partnership with experts, the health care sector, governments and IT companies, to become a global leader in protecting health care data.
“We have an excellent health care system in Canada, but if COVID-19 has taught us anything, it’s that we need to keep innovating. Electronic records are an important part of delivering great service to our customers, now more so than ever. We will not let cybercrime hold us back in efforts to enhance virtual and accessible health care for all of our customers. We will continue to drive collaboration across private and public sectors to deter cybercriminals and strengthen the system, to protect and serve our customers as best as possible.
“We will continue to be vigilant in protecting your information and rebuilding your trust.”