Health data of 15 million Canadians was hit by a cyberattack on Canada’s largest medical laboratory diagnostic testing services company.
LifeLabs reported a potential attack Nov. 1, spurring an investigation by the privacy commissioners of B.C. and Ontario, it was announced Dec. 17.
“I am deeply concerned about this matter,” B.C. commissioner Michael McEvoy said.
“The breach of sensitive personal health information can be devastating to those who are affected.”
In a joint release, McEvoy and Ontario commissioner Brian Beamish said, “They told us that the affected systems contain information of approximately 15 million LifeLabs customers, including name, address, email, customer logins and passwords, health card numbers and lab tests.”
LifeLabs said cyber criminals penetrated the company's systems, extracting data and demanding a ransom, the commissioners said.
Lifelabs president Charles Brown said the company retrieved the data by making payment.
“We did this in collaboration with experts familiar with cyberattacks and negotiations with cyber criminals,” Brown said.
LifeLabs is Canada's largest provider of general diagnostic and specialty laboratory testing services. It has four core divisions: LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical and Excelleris.
The company has hired cybersecurity consultants to investigate and assist with restoring the security of the data.
In and open letter to clients, Brown said the company is working to ensure security of patients’ data.
“You entrust us with important health information, and we take that responsibility very seriously,” Brown said.
“I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyberattack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”
The co-ordinated B.C. and Ontario probe will examine the scope of the breach, circumstances leading up to it and what, if any, measures Lifelabs could have taken to prevent and contain the breach.
“We will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks,” McEvoy and Beamish said.
Beamish said, "An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant.”
Cyberattacks are growing criminal phenomena, and perpetrators are becoming increasingly sophisticated. Public institutions and health-care organizations are ultimately responsible for ensuring LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit customernotice.lifelabs.com or contact LifeLabs at 1 888 918-0467.