Ontario and British Columbia’s information and privacy commissioners have determined LifeLabs, the laboratory testing company didn’t protect the health information of 15 million Canadians, which mainly impacted those living in BC and Ontario.

An investigation found that LifeLabs didn’t implement “reasonable” security to protect their customers personal health informstion. The inadequate cyber security violates BC’s and Ontarios health protection laws.

“LifeLabs’ failure to properly protect the personal health information of British Columbians and Canadians is unacceptable,” BC information and privacy commissioner Michael McEvoy said in a statement.

McEvoy added that LifeLabs left millions of Canadians exposed to “potential identity theft, financial loss and reputational harm.”

The joint investigation determined that LifeLabs failed to implement adequate security rules, whie also collecting too much personal information.

“The breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks,” said Brian Beamish, the Ontario commissioner for security and privacy .