A 2020 report detailing the hack of a Canadian medical testing company was released Monday after a court ruled it could be made public, ending a four-year battle during which the company sought to keep the details of the investigation secret.

The 2019 hack of the company, LifeLabs, exposed the private health data of millions of Canadians.

The privacy commissioners of both British Columbia and Ontario said in a press release that their joint investigative report, completed in June 2020, found that LifeLabs “failed to take reasonable steps” to protect clients’ data while collecting more personal health information than was “reasonably necessary.”

As Canada’s biggest provider of general health and specialty laboratory testing services, LifeLabs performs more than 100 million lab tests each year and maintains a patient portal through which more than 2.5 million individuals obtain test results annually, according to a summary of the report released by the regulators.

LifeLabs told regulators it had been hacked in late 2019, prompting them to launch a joint investigation which found that the company did not adequately  staff its security team or have appropriate information security measures in place. 

The regulators ordered LifeLabs to fix those issues and stop collecting some personal information it had historically gathered as well as “securely dispose” of those records. They also ordered the company to “clarify and formalize” its work with health information custodians whom it contracts with to provide testing.

LifeLabs has addressed the regulator's recommendations and orders, a press release from the regulators said. 

A spokesperson for LifeLabs said in a statement that the company “remains dedicated to safeguarding health information and continuously improving our practices to address these evolving risks.”

Ontario’s privacy regulator said it was important for the report to be made public after four years of resistance by LifeLabs.

“I am very pleased with the court’s decision that allows the public to be made aware of the circumstances of this cyberattack and provides a transparent account of our investigation findings to help restore public trust in the oversight mechanisms designed to hold organizations accountable,” Patricia Kosseim, Information and Privacy Commissioner of Ontario, said in a statement.