lifelabs data breach case study

• Cybersecurity Fundamental Training
• Ethical Hacker Fundamental Training
• Cyber Security Specialist
• Cyber Crisis Management
• CISA Training
• CISM Training
• CRISC Training
• CISSP Training
• CCSP Training
• CGRC Training
• All Courses
• Team Training
• Global Cyber Conference
• About the Institute

Lessons Learned: LifeLabs Data Breach Case Study

This is the third blog post of our blog series on the topic of Lessons Learned. In our first article, we had a look at the BlackRock data breach and in our second article, we shed light on Earl Enterprises Data Breach . This blog post is intended to assist health care practices in reevaluating their existent health information security policies.

Table of Contents

What did happen?

In November of 2019, LifeLabs notified the Office of the Information and Privacy Commissioner of Ontario of a potential cyber attack on their computer systems. A month later, the organization publicly confirmed that they were the subject of a cyber attack on their systems.

LifeLabs is a Canadian-owned company that has been serving the healthcare needs of Canadians for nearly five decades. It has 16 laboratories and over 5700 professionally trained staff members. Almost half of Canada’s total population has had some sort of testing carried out by the company as part of their routine health care.

As a matter of fact, the breach in question is known to be the largest to date in Canada and the first to include sensitive health data gathered by a major laboratory. A joint investigation executed by information and privacy commissioners in both British Columbia and Ontario has since discovered the company failed to allocate adequate safeguard activities and technology security policies to protect that personal information and also accumulated more personal health data than was necessary .

Since the incident, LifeLabs employed a third-party professional services firm to assess its cyberattack response and efficiency of its security program, as it continues to engage external cyber security teams to surveil the dark web and other online information regarding the data breach.

What was the result?

The personal information of about 15 million Canadians was extracted by cybercriminals, mainly residents of British Columbia and Ontario. This information included names, addresses, emails, date of birth, national health card numbers from 2016, and earlier. Customer login IDs and passwords appear to have also been exfiltrated in the breach.

In the public statement, LifeLabs stated that they made some sort of payment to regain the stolen information. The company did not reveal detailed information on the nature of the attack, so it lived Canadians doubtful about the current level of risk to their personal information.

There were three proposed class-action lawsuits in response to the LifeLabs data breach. The largest of these was seeking 1.13 billion US dollars in damages plus an added 10 million US dollars in punitive penalties. The suit described here claimed that the LifeLabs data breach was a result of a failure of sufficient cyber security safety controls, hence the company infringed its own privacy policy in allowing it to occur.

Key takeaways for your businesses

There are a number of characteristics that make the healthcare industry an ideal target for cybercriminals. For example, crippling IT systems is relatively easier than in other leading sectors because of insufficient investment in IT security within the healthcare sector.

On the other hand, healthcare is known as the industry where employees are the predominant threat actors in data breaches. What we see is that healthcare organizations find themselves under cyber attacks from numerous vectors, including ransomware, malware, or targeted attacks.

Organizations responsible for collecting and storing sensitive information, like healthcare records, should have heightened security protocols in place to protect the information, and to minimize the risk of having it compromised by intruders. Cyber attacks impair the ability of a healthcare provider to function properly.

The first takeaway is to create a security culture in the first place. In other words, it is important to establish a security-minded educational culture that makes good practices become automatic. That should be followed by conducting information security education on an ongoing basis. The second takeaway would be planning for the unexpected. Life does not always follow a script so get ready for what is coming next. Planning for the unexpected include creating regular and reliable data backups, protecting backup media with access controls, and testing backup media regularly for the ability to appropriately restore data. Last but not least, have a sound recovery plan: know what data was backed up, when the backup was done, and where backups are stored.

Looking for more insights like this?

Data breaches are unfortunately prevalent in every industry. Organizations must build a strong security management program and educate their workforce. We kindly invite you to check our Cyber Security Specialist training with Swiss Federal Diploma . For more information, download the brochure .

You may find interesting

Ai integration in education: a joint study with the university of jyväskylä, global cyber conference in the cybersecurity special, top 7 cybersecurity skills every company must have in 2024, recent posts, swiss cyber institute recognized as accredited training organization for isaca cisa, cism and crisc, hacking – using “bad” for good in cybersecurity , swiss cyber institute is now the official training preferred partner of isc2 , guide to financing your cyber security specialist training with swiss federal diploma, where cybersecurity leaders meet: 4 networking events at the global cyber conference 2024, three new isaca courses at the swiss cyber institute, master your most critical enterprise cyber risks, global cyber conference 2024 with swiss ciso awards, the fallacy of the ciso: why “chief insecurity officer” is more apt, modal title.

LifeLabs data breach: Hackers could still hold health records of 15M Canadians

Assistant Professor, Criminology, Simon Fraser University

Disclosure statement

Richard Frank does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

Simon Fraser University provides funding as a member of The Conversation CA.

Simon Fraser University provides funding as a member of The Conversation CA-FR.

View all partners

LifeLabs — Canada’s major provider of lab diagnostics and testing services — announced on Dec. 17 that hackers had potentially accessed computer systems with data from “approximately 15 million customers” that “could include name, address, email, login, passwords, date of birth, health card number and lab test results.”

As a Canadian citizen whose data and whose family’s data is probably among the 15 million records stolen, my first thought is about the implications of this breach.

Data marketplaces

At the International CyberCrime Research Centre in the School of Criminology at Simon Fraser University , we’ve been studying online hacker communities for about seven years and the Dark Web for the past four years. The Dark Web, with its large number of marketplaces called cryptomarkets (think eBay for drugs and stolen data), is a fascinating place where all sorts of products, data and services are made available for purchase. Payments are made using anonymous (mostly) untraceable digital currencies . I would expect parts of LifeLab’s database to eventually end up in a marketplace like that.

So how did this happen? Details of the hack have not been revealed due to the ongoing investigation, but hopefully we will eventually learn the specifics. According to the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC), “ cyber criminals penetrated the company’s systems, extracting data and demanding a ransom ,” which LifeLabs paid .

This points to a likely ransomware attack, where the attacker encrypts the data on a computer system and makes it inaccessible. Unless a backup of the data exists, the only way to recover the data is by paying the attacker a ransom, who sends the victim the decryption keys to unlock the data. Most of these ransomware attacks use encryption so strong that even security firms cannot unlock the files, which has led to a new type of business where consultants help ransomware victims negotiate and pay the ransom .

Read more: Cybersecurity: high costs for companies

In most ransomware cases the data remains on the victim’s computer, but its access is revoked through strong encryption. This implies that the attackers do not actually have a copy of the data and thus the chances for future revictimization remain low. However, the language of the OIPC indicates that in this case, the data were “extracted.” This puts a new twist on the story.

Holding data hostage

Ransomware attackers sometimes do use ransomware — software that threatens to block access or publish data — that not only locks files, preventing the victim from doing anything, but also leaks the files back to the attackers. This allows the attackers to potentially extort more money from the victim, as happened a few weeks ago to Allied Universal , a security firm in California. That seems to be the case with LifeLabs.

If this is true, then our data is out there, in the hands of cybercriminals, and will remain out there. LifeLabs has stated that they have “retrieved the data by making a payment,” but if the cybercriminals already have a copy, then retrieving it will not suddenly disallow the attackers from further using that data.

Did LifeLabs not have a proper backup and recovery procedures in place so it could recover from this failure without having to resort to paying a ransom?

Customer protection

The likely scenario is that LifeLabs fell victim to a ransomware attack, possibly sparked by a phishing email with a malicious link or attachment, which resulted in up to 15 million customers’ information ( our information, not LifeLabs’) being extracted to the attackers. LifeLabs paid the ransom to regain access to the data and continue business.

What can we, as customers, do? Unfortunately, not much.

The data theft is beyond our control. Periodically we must do business with third-parties that require our personal information and we have no choice but to hand it over. Implicit in this transaction is that the other party (LifeLabs, for example) will protect that data. The only available option we have as customers is to be vigilant of our personal information, including financial and health details; but this is after the data theft.

We must check our credit card statements, our credit histories, our insurance claims. We must not use the same password in multiple places and should use two-factor authentication whenever possible.

Read more: It's time we demanded the protection of our personal data

Potentially the best way to prevent future breaches would be to incentivize organizations that collect our personal details to secure them properly. This could be done by changes to the legislation, like in the European Union and its new General Data Protection Regulation (GDPR) introduced in 2018.

In August 2018, the British Airways website was breached and 500,000 customer details stolen. The United Kingdom’s Information Commissioner’s Office handed down a fine of £183 million (approximately $321 million) , based on a new U.K. law designed to mirror the EU’s GDPR. With penalties like that, third-party organizations would have no choice but to take data security seriously, rather than as an operational cost.

[ Expertise in your inbox. Sign up for The Conversation’s newsletter and get a digest of academic takes on today’s news, every day. ]

• Health data
• Data breaches
• Health databases
• Digital health data

Compliance Lead

Lecturer / Senior Lecturer - Marketing

Assistant Editor - 1 year cadetship

Executive Dean, Faculty of Health

Lecturer/Senior Lecturer, Earth System Science (School of Science)

• Where to Find Us
• Submit News Tip
• Advertise With Us
• Newsletters
• News Insiders

LifeLabs class-action lawsuit payout coming for over 900,000 Canadians

By Charlie Carey

Posted May 14, 2024 10:21 am.

Canadians affected by the massive 2019 cyberattack on LifeLabs are finally getting their money following a class-action lawsuit.

The 901,544 claimants across the country will receive $7.86.

KPMG, acting on behalf of the plaintiffs, says the payout amount is low because so many people filed claims. The initial payout was expected to be up to $150.

LifeLabs settled the suit for just under $10 million last fall. The original statement of claim filed five years ago accused the medical testing company of negligence, breach of contract, and violating their customers’ confidence as well as privacy and consumer protection laws.

• B.C. health minister wants to see LifeLabs report, supports fines
• LifeLabs breach ‘potential watershed moment’: cyber security expert
• LifeLabs facing proposed class action over data breach affecting up to 15M clients
• LifeLabs failed to reasonably protect health information of millions of Canadians: report
• LifeLabs reveals data breach, pays ransom to secure personal info of 15M people
• LifeLabs told B.C. gov’t about breach in October: health minister

The plaintiffs allege LifeLabs “failed to implement adequate measures and controls to detect and respond swiftly to threats and risks to the Personal Information and health records of the class members,” in violation of the company’s own privacy policy.

LifeLabs had previously said the data hack affected up to 15 million customers, almost all of them in Ontario and British Columbia. The compromised database included health card numbers, names, email addresses, logins, passwords, and dates of birth, but it was unclear how many files were accessed.

The lab results of 85,000 customers in Ontario were also obtained by the hackers, the company said.

In 2019, LifeLabs chief executive Charles Brown apologized for the breach, which led the company to pay a ransom to retrieve the data.

Top Stories

Simon Fraser University (SFU) plans to cut English and translation programs because of rising costs, shocking its teachers and their union.

BC Conservative Leader, John Rustad dismissed rumours of a potential merger between his party and Kevin Falcon's BC United in a lengthy, now deleted post to social media.

Chief Robert Michell says relief isn't the right word to describe his reaction as the search begins for unmarked graves at the site of a former residential school in northern B.C.

A fourth man accused in the murder of B.C. Sikh activist Hardeep Singh Nijjar will also appear at provincial court on May 21.

Most Watched Today

The Coquitlam RCMP is sharing video of an incident where a drive-thru worker was spit on by a customer -- seeking the suspect as part of an assault investigation.

Strong not only placed first but they also walk away with one-million-dollars, the largest cash price in Canadian television history.

The Vancouver Canuck's woke up in the third period of Tuesday night's game, only to come up short in the last minute. The Canucks lost 3-2 to Edmonton, but fans are looking to the next game. Monika Gul has more.

Evan Bouchard scored the game-winning goal with 39 seconds remaining after Dakota Joshua tied it up less than a minute earlier as the Edmonton Oilers outlasted the Vancouver Canucks in a thriller 3-2, to even up their second-round series at 2-2.

Tension rising at UBC after a group barricaded the campus bookstore over the weekend. As Angela Bower reports, the university says all options to deal with protesters are now on the table.

LifeLabs pays hackers to recover data of 15 million customers

• 10 dangerous app vulnerabilities to watch out for (free PDF)

LifeLabs , Canada's leading provider of laboratory diagnostics and testing services, admitted today to paying hackers to retrieve data stolen during a security breach last month.

"We did this [paying the hackers] in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals," the company said today in a press release .

It is unclear how much the company paid to recover its data. A LifeLabs spokesperson was not immediately available for comment when reached out via phone call.

According to documents filed with the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia , the security breach occurred last month, around November 1.

LifeLabs said the hackers breached its systems, extracted customer data, and then demanded a ransom to give the company back its data.

According to LifeLabs, the hackers took information on over 15 million customers. The type of personal data stolen by the attackers included names, home addresses, email addresses, usernames, passwords, and health card numbers.

For 85,000 customers medical test results were also included.

The stolen data was dated 2016, and earlier, LifeLabs said.

The Canadian company said it's currently working with law enforcement on an investigation into the hack.

It also said it patched its system for the entry point hackers used to breach its servers.

"I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations," said Charles Brown, LifeLabs President and CEO.

For impacted users, additional information is available in a security notice on LifeLabs' website.

Cryptocurrency cyberattacks and breaches of 2019 (in pictures)

Hacker claims to have stolen dell customer data, twice. here's how to protect yourself, security researchers say this scary exploit could render all vpns useless, how we test vpns in 2024.

15 Million Affected by LifeLabs Data Breach

LifeLabs, a Canadian based healthcare organization, was the victim of a cyberattack in November 2019. After an investigation conducted by Ontario and British Columbia Information and Privacy Commissioners, it was found that the LifeLabs data breach was the result of inadequate security policies and safeguards.

Is your organization secure?

Find out now with our hipaa compliance checklist., lifelabs data breach: what happened.

November 1, 2019 – LifeLabs data breach was discovered, affecting 15 million patients, the second-largest healthcare breach reported in 2019. Hackers infiltrated LifeLabs computer systems, risking patients’ protected health information (PHI). Data that may have been exposed in the hack include health card information, patients’ lab results, emails, contact details, login information, and dates of birth.

Following the attack, LifeLabs worked with cybersecurity experts to negotiate the return of the stolen data. To regain access to its patients’ data, LifeLabs paid hackers to return the stolen files.

December 2019 – LifeLabs notified patients that their sensitive information may have been compromised. Soon after the notification , patients filed multiple lawsuits claiming that LifeLabs was negligent since it failed to protect their data. The lawsuits also claim that LifeLabs violated privacy and consumer protection laws when it failed to implement adequate security safeguards. The filed lawsuits are asking for $1.1 billion to compensate the victims of the LifeLabs data breach. 

LifeLabs Data Breach: Improving Security

Following the healthcare breach, LifeLabs was required to implement security measures to ensure that an attack of this nature doesn’t occur again.

These measures include:

◈ Appointing a Chief Information Security Officer

◈ Third-party Cyberattack Evaluation

◈ Cybercrime Detection Technology

◈ Employee Training  

◈ Implementing Security Policies and Procedures

In addition to these security measures, the commissioners ordered LifeLabs to cease collecting data, and to dispose of previously collected data in a secure fashion. LifeLabs must also improve their notification processes.

“This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks,” Brian Beamish, Information and Privacy Commissioner of Ontario , said in a statement. “I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation.”

Prevent HIPAA Breaches

Don’t fall victim to breaches. protect your business by becoming compliant today, don't forget to share this post, related posts.

CIS 18 Certification and Implementation

HHS Issues a Final Rule to Support Reproductive Healthcare Privacy

Internet of Things in Healthcare Interoperability and Security Issues

Our product.

Featured Case Studies

From our blog, get in touch.

© 2024 Compliancy Group LLC. All Rights Reserved | Terms of Use | Privacy Policy

LifeLabs class action payments start flowing to more than 900,000 claimants

A 2019 data breach allowed hackers to access the personal information of up to 15 million Lifelabs customers. DARRYL DYCK/The Canadian Press

Canadians who applied to be part of a class-action lawsuit against LifeLabs Inc. are now receiving cheques and e-transfers.

KPMG, which is administering the claims, says on the class action website that more than 900,000 valid claims were received.

Given the large number of valid claims, KPMG says claimants will receive an e-transfer of $7.86. Those receiving a cheque will get $5.86, after deducting a $2 processing fee.

The class action was launched against LifeLabs after a 2019 data breach allowed hackers to access the personal information of up to 15 million customers.

An Ontario court approved a total Canada-wide settlement of up to $9.8-million.

LifeLabs has said most of the affected customers were in Ontario and British Columbia.

In 2020, the B.C. and Ontario privacy commissioners ordered LifeLabs to improve how it safeguards personal health information, and to collect less of it from customers.

The payments are significantly smaller than what many claimants had been expecting.

When the class action settlement was approved last fall, potential claimants were told they would be eligible to receive about $50, up to a maximum of $150, though legal fees and taxes would be deducted. The precise amount, however, would be determined based on how many claims were filed.

Report an editorial error

Report a technical issue

Follow related authors and topics

• Banking Follow You must be logged in to follow. Log In Create free account
• KPMG Follow You must be logged in to follow. Log In Create free account

Authors and topics you follow will be added to your personal news feed in Following .

Interact with The Globe

.

Advertisement

'We're sorry': 15M LifeLabs customers may have had data breached in cyberattack

Jeremiah Rodriguez CTVNews.ca Writer

@jererodriguezzz Contact

TORONTO -- Hackers may have obtained the personal data of 15 million LifeLabs customers after a systems breach, and this includes addresses, passwords, birthdays, health card numbers and even lab results.

• Here's what to do if you think you're affected by the cyberattack

LifeLabs, one of the largest private providers of health diagnostic testing, said in an open letter to its customers that the firm had become aware of a recent hack to its computer systems which contained customer information, names and logins.

It didn’t specify exactly who had hacked the system but LifeLabs alerted the Ontario and B.C. privacy commissioners of the hack on Nov. 1. LifeLabs also said it paid ransom to secure the data.

LifeLabs’ letter also said the majority of these customers were in Ontario and British Columbia, with "relatively few customers" in other locations. LifeLabs President and CEO Charles Brown told CTV News approximately 10 million affected were in Ontario, with five million in B.C.

When it came to lab results, LifeLabs said the hack affected 85,000 of its Ontario customers from 2016 or earlier.

“Our investigation to date indicates any instance of health card information was from 2016 or earlier,” the letter added.

The firm discovered the cyberattack in late October and Brown has since personally apologized for the hack.

“I’d like to say to our customers that we’re sorry. We realize this may have shaken their confidence and we’ll do everything we can to win it back,” he told CTV News. “We know that health data is important and we do take that responsibility quite seriously.”

We recently identified a cyber-attack that involved unauthorized access to our computer systems. We are sorry that this incident happened. The data has been retrieved, and a law enforcement investigation is underway. For more info, visit https://t.co/gUYdHeR0Kh . — LifeLabs (@LifeLabs) December 17, 2019

As of Wednesday, two dedicated phone lines -- 1-800-431-7206 (British Columbia) and 1-877-849-3637 (Ontario) -- have been set up for people who want to inquire about further information. In a statement, the firm said there will be extended call centre hours. People can call weekdays between 8 a.m. and 11 p.m., and weekends between 8 a.m. and 8 p.m.

LIFELABS CAN'T GUARANTEE DATA WASN’T COPIED

In the letter, Brown said that the risk to customers from the data breach was low. He also said cybersecurity firms told them they hadn’t seen a public disclosure of the customer data online, including on the dark web or other online locations.

Following the advice of cybersecurity experts, he said they retrieved “the data by making a payment,” Brown said. He later explained his thinking behind that decision.

“Our desire was to try to get this data and keep it as secure as we could and not have it exposed,” he told CTV News.

But LifeLabs couldn’t guarantee that the hackers were unable to save a copy of the data. The firm has also been in touch with law enforcement, its government partners and notified privacy commissioners.

According to a joint statement from the Information and Privacy Commissioner for British Columbia and the Information and Privacy Commissioner of Ontario, LifeLabs had reported the hack to them on Nov. 1 and said that the hackers had been demanding a ransom.

Commissioners investigating LifeLabs cyberattack affecting health care information of millions. https://t.co/yCcmSeCrX4 @IPCinfoprivacy #privacy #data — OIPC BC (@BCInfoPrivacy) December 17, 2019

Cybersecurity expert Brian O’Higgins told CTV News Channel customers “may have dodged a bullet” since the hackers were likely more interested in obtaining money in exchange for people’s personal data rather than caring about the lab results.

But the fact the hackers have any personal information at all could lead to identity theft and “that could lead to a world of hurt.”

The privacy commissioners’ co-ordinated investigation will examine the extent of the breach, what led up to it and what – if anything -- could have been done to prevent it.

“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” Information and Privacy Commissioner of Ontario Brian Beamish said in the statement.

Information, and Privacy Commissioner for B.C. Michael McEvoy added,  “our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”

LIFELABS HAS TO DO BETTER: FMR. PRIVACY OFFICIAL

Former Information and Privacy Commissioner of Ontario Ann Cavoukian told CTV News Channel the hack is “very damaging.”

Despite LifeLabs saying it paid the ransom, there are no guarantees the data won’t show up elsewhere. Cavoukian said it’s “virtually impossible to control in terms of getting it back and you don’t know where it might appear.”

She said once customers give up their personal data to third parties, they’re at their mercy. That’s why she chastised Lifelabs for not having strong enough security to prevent the data from being stolen.

“I say that data at rest (such as the health card numbers and addresses) should be strongly encrypted so it doesn’t serve as a magnet for the bad guys,” Cavoukian said. “You don’t want to be an easy target. And that’s what’s so appalling. LifeLabs should have had the strongest security measures in place already.”

She said the bulk “of responsibility of the protection of this data is with LifeLabs.” Going forward, LifeLabs CEO pledged the company will strengthen its system to deter future hacks.

LifeLabs said it is offering “any customer who is concerned about this incident” a free year of protection including dark web monitoring and identity theft insurance from American consumer credit reporting agency TransUnion.

But Cavoukian argued that it’s also on the consumer to contact LifeLabs directly to ask if their data has been compromised. She also predicted there could be class-action lawsuits following the breach.

GROWING CONCERN OVER CYBERATTACKS

The menace of cyberattacks is a growing concern among private citizens, companies and governments.

Last month , cybersecurity firm McAfee said that 33 per cent of Canadians have lost $500 or more in online scams this year. And it warned that that number is only expected to rise during the holiday shopping season.

In the past year alone, there’s also been a handful of actual or potential data breaches including at companies such as Desjardins , Disney Plus , Capital One , Freedom Mobile , DoorDash ; as well as government healthcare systems , and even at TransUnion Canada .

A recent survey of Canadian companies found that nearly 90 per cent said they had experienced a breach in the past year. O’Higgins, who’s spent the past 30 years in security technology development, said all firms are now facing a new reality.

“Corporations now routinely have cyber risk insurance and when there is an issue the insurer comes in and helps them pay,” he said.

With a file from CTVNews.ca producer Adam Ward

LifeLabs letter by CTV Vancouver on Scribd

LifeLabs signage is seen outside of one of the lab's Toronto locations, Tuesday, Dec. 17, 2019. (THE CANADIAN PRESS/Cole Burston)

Vials of blood for testing are shown at a LifeLabs facility in this file photo.

Related Stories

• LifeLabs cyberattack: What to do if you think you're affected
• More Canadian doctors embracing electronic medical records
• LifeLabs closing 15 patient labs, three testing facilities in bid to reduce costs

Related Links

• See the full statment from the Ontario and B.C. privacy commissioners

More Health Stories

New study shows financial impact of homelessness on our health-care system

P.E.I. proposes banning Islanders of a certain age from purchasing tobacco products in new health plan

'It could mean a cure': Cautious optimism for groundbreaking ALS research at Western

Certain vegetarian diets significantly reduce risk of cancer, heart disease and death, study says

Wildfires: Here's who's most at risk when the air quality drops

'Not a scarient': New COVID-19 subvariant dominant in Canada

B.C. mom whose son died from wildfire smoke trying to make this year safer

Alberta announces the 4 health agencies that will replace AHS later this year

If you've tried meditating but can't sit still, here's how - and why - to try again

Que. students accuse teacher of profiting off their artwork

Car thefts in Canada: Insurance companies face criticism

$50K reward offered in case of missing Barrie, Ont. woman

Ctvnews.ca top stories.

'Some structural damage' from wildfire near Fort Nelson, B.C., mayor confirms

'Very expensive lunch': Sask. driver says he got a cellphone ticket for using his points app in the drive-thru

B.C. YouTuber ordered to pay $350K for 'relentless' online defamation campaign

Chief says grave search at B.C. residential school brings things 'full circle'

'Endless Shrimp' just one misstep for Red Lobster as it eyes bankruptcy protection

B.C. man shot sex worker in the back during drug-fuelled birthday, court hears

Going to a long weekend BBQ? Here's what you can bring

Man punches Subway manager for not getting extra ham on sub

Montreal’s ‘Mon Lapin’ named Canada’s best restaurant

Sign up for The COVID-19 Brief newsletter

Health videos.

Wildfire weather: Here's the forecast for Western Canada

Saskatchewan nurses call code blue over ER overcrowding

Cancer rates declining but more prevention work needed

Here's why ultra-processed foods are linked to early deaths

Some Canadians dumped by family doctors after walk-in visits

Sask. to cover medical travel expenses for some patients

Data Breach

Lifelabs suffers a data breach revealing the health data of 15 million canadians, caleb townsend staff writer   united states cybersecurity magazine.

LifeLabs has revealed that 15 million Canadians may have had their data leaked after a being hit with a cyber-attack in October. LifeLabs is a diagnostics testing company, the largest healthcare laboratory test company in Canada. In a recent blog post , they revealed that most of the victim were in Ontario and British Columbia.

The data was accessed by an unauthorized party and LifeLabs paid a ransom to retrieve their stolen data. They paid for the data in collaboration with cybersecurity experts who reportedly helped guide them through the process.

The data that was stolen includes names, addresses, emails, patient login passwords, date of birth, and health-card numbers. Additionally, a confirmed 85,000 customers’ lab test results were stolen.

The stolen data was largely from 2016 and earlier.

LifeLabs also reports taking several measures to protect their data, and more pressing, their customer’s data, in the future. This includes:

• Collaborating with cybersecurity experts to help secure their systems, isolate the threats, mitigate the risk, and identify exactly how large the data breach was.
• Finding ways to help improve their overall cybersecurity posture and strengthen their system to help reduce the risk of attack.
• Engaging with the police, whom LifeLabs states is currently investigating the breach.
• Offering cybersecurity protection to any costumers affected, including identity theft protection, dark web monitoring, and fraud protection insurance. This monitoring and protection will be free for one year.

Despite the paid ransom, there are no solid reports as to whether or not the hackers released or sold any customer information.

LifeLabs states in their customer notice that, “While you are entitled to file a complaint with the privacy commissioners, we have already notified them of this breach and they are investigating the matter. We have also notified our government partners.”

They conclude by pointing out that they indeed took steps over the last few years to secure their systems, though this recent breach “serves as a reminder” that they, and by extension all businesses, need to stay ahead of cyber-attacks by taking proactive steps to strengthen their cybersecurity defenses.

Leave a Comment

Privacy overview.

Global News

Customers involved in LifeLabs data breach class-action lawsuit surprised by payout

Posted: May 14, 2024 | Last updated: May 15, 2024

People involved in a data leak by LifeLabs in 2019 are finally receiving compensation, but the amount is less than many expected. The company settled a class action lawsuit for more than 900,000 claims.

More for You

Red Lobster to close at least 48 restaurants after ‘endless shrimp’ debacle

Inexpensive Seagull electric car has US automakers, politicians trembling with fear

How close are we to nuclear war?

The 10 Best Strikers In The World

Deadly 'Zombie' virus continues spread

Groundbreaking research on concussions available free online through University of Calgary

I moved to Finland after reading it was the happiest place on earth. Here are 6 things that surprised me living and working here.

11 Best Vacuum Cleaners, Tested by Cleaning Experts

At CES, LG unveils ‘world’s first’ wireless transparent OLED TV

Trump Force One clipped another plane on runway after leaving New Jersey rally

How Much Range does a Tesla Model X have after 7 years?

20 facts you might not know about 'Moneyball'

Vancouver company unveils Team Canada’s beach volleyball Olympic uniform design

The 10 Best Countries for Expats, According to Expats

Slovakia's populist prime minister shot in assassination attempt, shocking Europe before elections

'It has been an honour of a lifetime': Toronto's top doctor announces her resignation

McDonald's unveils huge new triple burger and fan-favourites returning to menu

Good Riddance, Corey Perry. You Are Hockey's Tired Old Act

The Most Popular Book the Year You Were Born

Study aims to find best adrenaline dose for cardiac arrest patients

LifeLabs goes to court to block results of investigation into 2019 privacy breach

Social Sharing

Two of Canada's provincial privacy officers say that they're still unable to release a full report about last year's security breach at LifeLabs because the company has gone to court to stop the release of information obtained during the investigation into the breach.

A joint statement from the privacy commissioners for Ontario and British Columbia says the Toronto-based chain of medical labs has agreed to comply with their orders and recommendations.

They say LifeLabs has sought a court order preventing the public release of some of the report, claiming it contains information that's privileged or otherwise confidential.

But Ontario's Patricia Kosseim and B.C.'s Michael McEvoy say they believe it's vital to bring to light the underlying causes of a privacy breach involving information of up to 15 million customers.

The commissioners reported last month that LifeLabs had failed to put in place reasonable safeguards and it had broken Ontario and B.C.'s information protection laws.

LifeLabs said at the time that it had taken a number of steps to accelerate its cybersecurity strategy and practices to strengthen its information security system.

The company was not immediately available for comment about the commissioners' latest statement.

Corrections

• A previous version of this story incorrectly stated in the headline that LifeLabs was trying to block the investigation into their 2019 privacy breach. In fact, it is trying to block the release of information obtained during that investigation, which it fully co-operated with. Jul 30, 2020 11:28 AM ET

Related Stories

• Hacker demands ransom from B.C. libraries after data breach
• Prince Albert police arrest 29-year-old man in domestic homicide investigation
• Claimants in LifeLabs data-breach class action to get $7.86 each
• eVisitNB commits 'serious breaches' of Official Languages Act, commissioner finds
• Alberta investigations into uninspected meat spark food safety concerns

videoPlayer