If you are a LifeLabs client, your personal information could have been obtained by cybercriminals during a security breach.
Brian Beamish with the Office of the Information and Privacy Commissioner of Ontario and Michael McEvoy with the Information and Privacy Commissioner of B.C. are conducting a joint investigation into systems of the laboratory testing company which has affected roughly 15 million customers.
Information includes name, address, email and customer logins, password, health card numbers and lab tests.
"LifeLabs advised our offices that cybercriminals penetrated the company's systems, extracting data and demanding a ransom," a B.C. government news release says.
"Lifelabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data."
In the release, the government says LifeLabs is Canada's largest provider of general diagnostic and speciality lab testing services.
We recently identified a cyber-attack that involved unauthorized access to our computer systems. We are sorry that this incident happened. The data has been retrieved, and a law enforcement investigation is underway. For more info, visit https://t.co/gUYdHeR0Kh.
— LifeLabs (@LifeLabs) December 17, 2019
"An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected," Beamish said.
"This should serve as a reminder to all institutions, large and small, to be vigilant. information and privacy commissioner of Ontario. Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times."
The investigation will include examining the scope of the breach, the circumstances leading to it and if there were any measures Lifelabs could have taken to prevent and contain a breach.
They will also search for ways the company can improve the future security of personal information and stop future attacks.
"I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected," McEvoy added. "Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete."
In a separate release, LifeLabs President and CEO Charles Brown addressed the breach adding the company has taken the following steps since the incident:
- Immediately engaging with world-class cyber security experts to isolate and secure the affected systems and determine the scope of the breach
- Further strengthening our systems to deter future incidents
- Retrieving the data by making a payment. We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals
- Engaging with law enforcement, who are currently investigating the matter
- Offering cyber security protection services to our customers, such as identity theft and fraud protection insurance
"Personally, I want to say I am sorry that this happened," Brown said. "As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously."
Any customer who is concerned about this incident can receive one free year of protection that includes dark web monitoring and identity theft insurance.
LifeLabs has set up a dedicated phone line (1-888-918-0467) and information on its website for those affected by the breach.
