Canadian laboratory testing company LifeLabs failed to adequately protect sensitive health information of millions of people, resulting in one of the biggest data breaches in the country last year, privacy commissioners for the provinces of British Columbia and Ontario said on Thursday.

The Information and Privacy Commissioner (OIPC) of Ontario has ordered LifeLabs to improve and clarify its data protection policies, as well as better inform individuals of their information that was breached.

Some 15 million customers of LifeLabs, Canada’s largest provider of specialty medical laboratory testing, had sensitive personal information, including names, addresses, emails, customer logins and passwords, health card numbers and lab tests exposed due to a breach that was reported in November 2019.

Commissioners have delayed releasing the full report as LifeLabs claims it includes privileged or confidential information. The privacy commissioners disagreed and said the report will be made public, unless LifeLabs takes court action.

The privacy commissioners’ joint report found that although the company for the most part took “reasonable steps” to contain and investigate the breach, it had failed to appropriately safeguard personal information of its customers.

LifeLabs is reviewing the report’s findings, according to a company statement, and “has committed to being open and transparent.”

The investigation “reinforces the need for changes to B.C.’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights,” Michael McEvoy, information and privacy commissioner of British Columbia, said in the statement.

Had such laws existed, McEvoy said, he would have taken action.

“This is the very kind of case where my office would have considered levying penalties.”