Affected systems contain information of about 15 million LifeLab customers

THE Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) are undertaking a coordinated investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs.

LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions: LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.

On November 1, LifeLabs reported a potential cyberattack on their computer systems to the IPC and the OIPC. Shortly thereafter, they confirmed they were the subject of an attack affecting the personal information of millions of customers, primarily in Ontario and British Columbia.

“They told us that the affected systems contain information of approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers and lab tests. LifeLabs advised our offices that cyber criminals penetrated the company’s systems, extracting data and demanding a ransom. Lifelabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data,” the commissioners said.

The co-ordinated IPC/OIPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it and what, if any, measures Lifelabs could have taken to prevent and contain the breach. It will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”

Michael McEvoy, Information and Privacy Commissioner for B.C. said, “I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected. Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”

The IPC and OIPC are reaching out to the information and privacy commissioners of other jurisdictions with affected customers.

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit: 

customernotice.lifelabs.com (http://www.customernotice.lifelabs.com/) or contact LifeLabs at 1 888 918-0467.

CHARLES Brown, President and CEO, LifeLabs, in an open letter to LifeLab customers posted on their website, said:

Through proactive surveillance, LifeLabs recently identified a cyber-attack that involved unauthorized access to our computer systems with customer information that could include name, address, email, login, passwords, date of birth, health card number and lab test results.

Personally, I want to say I am sorry that this happened. As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously.

We have taken several measures to protect our customer information including:

• Immediately engaging with world-class cyber security experts to isolate and secure the affected systems and determine the scope of the breach;
• Further strengthening our systems to deter future incidents;
• Retrieving the data by making a payment. We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals;
• Engaging with law enforcement, who are currently investigating the matter; and
• Offering cyber security protection services to our customers, such as identity theft and fraud protection insurance.

I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.

We have fixed the system issues related to the criminal activity and worked around the clock to put in place additional safeguards to protect your information. In the interest of transparency and as required by privacy regulations, we are making this announcement to notify all customers. There is information relating to approximately 15 million customers on the computer systems that were potentially accessed in this breach. The vast majority of these customers are in B.C. and Ontario, with relatively few customers in other locations. In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly. Our investigation to date indicates any instance of health card information was from 2016 or earlier.

While you are entitled to file a complaint with the privacy commissioners, we have already notified them of this breach and they are investigating the matter. We have also notified our government partners.

While we’ve been taking steps over the last several years to strengthen our cyber defenses, this has served as a reminder that we need to stay ahead of cybercrime which has become a pervasive issue around the world in all sectors.

Any customer who is concerned about this incident can receive one free year of protection that includes dark web monitoring and identity theft insurance.