LifeLabs, Canada’s largest private provider of diagnostic testing for health care, was hit with a cyberattack sometime in October and paid a ransom to retrieve the stolen data.
Six weeks after discovering the breach, security experts hired by the company are still trying to figure out how much data was involved. The servers that were accessed contained information on 15 million Canadians, including almost four million in B.C., according to CEO Charles Brown.
“This is still under police investigation,” Brown told Postmedia. “I just can’t talk about actual details of who did what, (or) how we got contacted (about the ransom demand).”
The information that cyber criminals might have had access to includes names, addresses, emails, patient login passwords, and health-card numbers.
Additionally, the company knows that lab results for 85,000 Ontario residents were also potentially compromised, Brown said.
B.C. Health Minister Adrian Dix said LifeLabs contacted the government on Oct. 28, and informed the office of B.C. Information and Privacy Commissioner Michael McEvoy on Nov. 1.
LifeLabs has been providing daily updates on its progress in dealing with the breach, Dix said, and the information and privacy commissioners in both B.C. and Ontario have launched their own investigations into the incident.
Brown said the delay in informing its customers was to make sure that it had retrieved the data, and had secured and strengthened its security so it would not be vulnerable to subsequent attacks.
He added that the company also had to assemble a security-protection package to offer customers and establish a call centre and Internet microsite to offer that package to patients.
“That’s really what took so long,” Brown said. “Our experts have been telling us we’re actually moving fairly quickly here.”
Dix said the data breach is “of vital concern” to B.C. since LifeLabs conducts 34 per cent of all diagnostic tests for the province’s health care system. The province is working with the company to make sure the data of British Columbians remains secure.
“This is the world we live in, and the security of personal data has to be the highest priority,” Dix said.
He added that B.C.’s expectation was that patients be informed of the breach “the first possible moment after they contacted the information and privacy commissioner, and that was today.”
Brown said that while LifeLabs did pay a ransom for the return of the data, the company and its security providers are confident that information on individuals will not be further compromised.
LifeLabs shut down the breach and isolated its servers as soon as the unauthorized access to its system was discovered through regular security surveillance, Brown said. Is security advisers have not seen any of the data surface anywhere else online.
“The target is actually the company,” Brown said. “(Criminals) are using these sorts of attacks to extract payments from companies.”
LifeLabs security consultants have advised the company that it is companies that do not pay to retrieve information that see their data being made public.
“We believe that this sort of attack fits into that model and why we believe the threat to individuals is low,” Brown said.
“I am deeply concerned about this matter,” said B.C. Information and Privacy Commissioner Michael McEvoy. “The breach of sensitive personal health information can be devastating to those who are affected.”
“Our independent offices are committed to thoroughly investigating this breach,” McEvoy said.
However, while the commissioners said they will report publicly on their findings and recommendations once the work is complete, they will not discuss details of their proceedings while it is underway.
LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public can visit customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.
The new security package being offered includes cyber security protection for one year from TransUnion, which includes credit monitoring and fraud insurance protection.