The Canadian laboratory testing company LifeLabs says it made a payment to criminals to retrieve the sensitive information of millions of customers after a cyberattack on its computer systems.
In a letter to customers, LifeLabs president Charles Brown wrote that information related to about 15 million customers, mainly in B.C. and Ontario, may have been accessed during the breach.
The company says it paid the ransom, “in collaboration with experts familiar with cyberattacks and negotiations with cyber criminals.”
The letter does not indicate where the attack originated or who was responsible.
On Tuesday afternoon, B.C. Health Minister Adrian Dix said the province was first informed of the breach on Oct. 28. On Nov. 7, it was confirmed that British Columbians’ private information was involved.
When asked why it took more than five weeks after that to inform the public, Dix said there was some concern about secondary attacks.
“Naturally, all of us would have wanted immediately for people to be informed, as quickly as possible,” Dix told reporters.
“The only reason there was a delay was to ensure that information that hadn’t been compromised wouldn’t be compromised, and that information that could be protected would be protected.”
He said LifeLabs is responsible for about 34 per cent of laboratory tests in B.C.
The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia confirmed in separate statements on Tuesday that they are both investigating the incident.
Logins, passwords affected
The laboratory reported the cyberattack to the two provincial privacy offices on Nov. 1.
According to Brown’s letter, customers’ names, addresses, birthdates, email addresses, customer logins and passwords, health card numbers and lab test results were affected by the breach. But Brown said cybersecurity experts hired by LifeLabs have not seen any public disclosure of customer data, even on the dark web.
This isn’t the first incident involving LifeLabs computer systems. In January 2013, the medical information of thousands of patients in Kamloops, B.C., went missing.
It wasn’t until June that year that the company admitted it had lost track of a computer hard drive, which held the information of more than 16,000 patients.
The hard drive held the results of electrocardiograms gathered at three facilities between 2007 and 2013.
LifeLabs said privacy commissioners are already investigating the latest cyberattack, and while the company has taken steps over the years to strengthen its cyber defences, it will provide one free year of identity theft insurance, including dark web monitoring.
LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services.
“We’ve seen this happen with a number of hospitals around the world,” said technology expert Graham Williams.
Williams says — depending on the information that was stolen — that a big concern arising out of the cyberattack could be that medical data could not only be used for identity theft or medical fraud but also blackmail.