A long-awaited investigation into the 2019 hacking incident at LifeLabs Inc. that compromised the health data of millions of Canadians has finally been made public. The investigation, which was completed in June 2020 by the privacy commissioners of Ontario and British Columbia, found that LifeLabs had failed to adequately protect clients’ data and had collected more personal health information than necessary.

The joint report issued by the privacy commissioners ordered LifeLabs to address several issues, including properly staffing its security team. The company was also required to comply with all the orders and recommendations outlined in the report.

Initially, LifeLabs had attempted to prevent the publication of the report, citing litigation and solicitor-client privilege. However, the privacy commissioners’ offices opposed this and the company’s appeal was ultimately dismissed by the Ontario Court of Appeal.

Michael Harvey, the Information and Privacy Commissioner of British Columbia, expressed his satisfaction with the court’s decision, stating that the victims of the data breach had waited too long for accountability and transparency. He emphasized the importance of learning from past mistakes to prevent future breaches.

Ontario Information and Privacy Commissioner Patricia Kosseim also welcomed the court’s decision, highlighting the role of oversight mechanisms in holding organizations accountable and restoring public trust.

In a separate development, Canadians affected by the data breach began receiving compensation through a class-action lawsuit against LifeLabs. More than 900,000 valid claims were received, resulting in a Canada-wide settlement of up to $9.8 million. This settlement aimed to compensate individuals whose personal information was compromised in the breach, which affected up to 15 million customers.