Privacy commissioners in Ontario and British Columbia are investigating a recent cyber attack on LifeLabs, a medical testing and laboratory services company.
According to a customer service note on the LifeLabs website and a statement from the two commissioners, over 15 million people had their personal data breached in the attack.
The majority of those people were residents in B.C. and Ontario, and the data included customers’ names, addresses, emails, logins, passwords, dates of birth, health card numbers, and lab test results, LifeLabs says.
On November 1st, 2019, the company notified the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) about the attack.
LifeLabs then consulted with outside cybersecurity firms and made a ransom payment to secure the data. They did not disclose how much was paid.
The company says their systems have been strengthened to prevent a future attack, and that all customers potentially affected by the hack can access one year of cyber security protections. These protections include dark web monitoring and insurance for identity theft and fraud.
“Personally, I want to say I am sorry that this happened,” said LifeLabs President and CEO Charles Brown in the company’s customer service note.
“As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously.”
In a joint press release from the IPC and OIPC, Michael McEvoy, information and privacy commissioner for B.C. said, “I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected.”
“Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”
This is the second privacy concern from the company in recent years.
In 2013, a hard drive was stolen from a LifeLabs computer in Kamloops that contained personal information including patients’ names, addresses, and health care numbers.
The hard drive was lost in January but authorities were notified of the security breach in June. Over 16,000 people were affected by the theft.