If you’ve undergone any sort of medical test in British Columbia, odds are it went through LifeLabs.
“We have literally 1,000s of lab tests available to meet the diverse needs of the millions of patients who come to us each year for testing,” the company’s website reads.
Those services include pregnancy tests and other reproductive diagnoses, illegal-drug and alcohol screenings, genetic testing, and checking British Columbians for sexually transmitted diseases, among many others.
And now the results of all those tests, alongside their corresponding patient names and contact info, might be up for sale on the dark web somewhere, B.C.'s privacy watchdog revealed today (December 17).
“On Nov. 1, 2019, LifeLabs reported a potential cyberattack on their computer systems to the IPC [Privacy Commissioner of Ontario] and the OIPC [Office of the Information and Privacy Commissioner for British Columbia],” a media release reads.
“Shortly thereafter, they confirmed they were the subject of an attack affecting the personal information of millions of customers, primarily in Ontario and British Columbia,” it continues.
“They told us that the affected systems contain information of approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers and lab tests.
“LifeLabs advised our offices that cyber criminals penetrated the company's systems, extracting data and demanding a ransom. Lifelabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data.”
In a separate release, LifeLabs president and CEO Charles Brown apologized for the breach outlined steps the company has taken since then.
Those steps included making a ransom payment to the individual or organization that stole the data in order to secure its retrieval, he revealed.
“We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals,” Brown said there.
“I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations,” he continued.
There are approximately 15 million LifeLabs customers who are “potentially” affected by the data breach, according to the release.
It doesn’t make clear exactly how that number of customers might be impacted. Further down in the release, LifeLabs states: “The vast majority of these customers are in B.C. and Ontario, with relatively few customers in other locations. In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly.”
LifeLabs is owned by the Ontario Municipal Employees Retirement System (OMERS), a large pension fund that manages the savings of Ontario’s public employees.
The OIPCBC’s release states that anyone who worries they might be affected by the hack can contact a dedicated phone line that LifeLabs has established. That number is 1-888-918-0467. People looking for more information can also visit customernotice.lifelabs.com/.
The release includes statements from the privacy commissioners of both Ontario and B.C.
"An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected,” said Brian Beamish, the information and privacy commissioner of Ontario. “Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times."
Michael McEvoy, information and privacy commissioner for B.C., similarly said he is “concerned”.
“The breach of sensitive personal health information can be devastating to those who are affected,” McEvoy continued. “Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete."