Privacy breach at medical lab could affect millions in B.C., Ontario

VANCOUVER -- The private information of millions of Canadians could be at risk after a cyberattack was conducted against the computer systems of LifeLabs, a laboratory testing company. The privacy commissioners' offices in both B.C. and Ontario are co-ordinating an investigation into the attack, which has affected systems containing information belonging to about 15 million customers. The information systems contain client data including names, addresses, emails, customer logins and passwords, health card numbers and lab tests, the Office of the Information and Privacy Commissioner for British Columbia said in a statement.
The OIPC said LifeLabs reported a potential cyberattack on Nov. 1 and soon after, confirmed that cyber criminals penetrated the company's systems, took data and demanded a ransom. LifeLabs said in a statement that it's making a payment in the hopes of retrieving the data, which is being done in collaboration with cyber-attack experts.

In a statement, LifeLabs president and CEO said he's "sorry that this happened."

"As we manage through this issue, my team and I remain focused on the best interests of our customers," Charles Brown said in a statement. "You entrust us with important health information, and we take that responsibility very seriously."

LifeLabs says it will contact 85,000 customers who went to a lab in Ontario in 2016 or earlier because their lab test results may have been impacted.

A dedicated phone line (1-888-918-0467) has also been set up where people can inquire about further information and the company is offering 12 months of "protection that includes dark web monitoring and identity theft insurance" through TransUnion.

To access that service, customers will need to call the dedicated phone line and ask for an activation code.

Moving forward, LifeLabs says it has asked outside cybersecurity consultants to investigate and help with restoring security of the data.

LifeLabs also says it's fixed the affected systems and that the majority of the information on the relevant computer belongs to B.C. and Ontario customers with "relatively few" customers impacted in other areas. "I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations," Brown's statement says.

Meanwhile, the co-ordinated investigation between Ontario and B.C. privacy offices will take a look at the scope of the breach, what led to it and if LifeLabs could have prevented the situation altogether.

"I am deeply concerned about this matter," said Michael McEvoy, privacy commissioner for B.C., in a news release.

"The breach of sensitive personal health information can be devastating to those who are affected. Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete."

With files from CTV News' Adam Ward

Have you been contacted by LifeLabs as a victim of the data breach? Tell us your story at [email protected]

Similar Articles:

Quest Diagnostics Says Up to 12 Million Patients May Have Had Financial, Medical, Personal Information Breached

Quest Diagnostics Says Up to 12 Million Patients May Have Had Financial, Medical, Personal Information Breached

Pager systems used in healthcare could be exposing patient data across Canada

Pager systems used in healthcare could be exposing patient data across Canada

Will California lawmakers vote to protect Californians’ privacy or tech industry profits?

Will California lawmakers vote to protect Californians’ privacy or tech industry profits?

How Much Responsibility Should Monster.com Take for Third Party Data Breach?

How Much Responsibility Should Monster.com Take for Third Party Data Breach?