The private data of up to 15 million LifeLabs customers has been breached, according to the Information and Privacy Commissioners of B.C. and Ontario.
Both provinces are investigating a cyberattack on the company’s computer systems. The company is one of Canada’s largest medical services companies.
LifeLabs said that the compromised database included health card numbers, names, email addresses, login, passwords and dates of birth but said it wasn’t sure how many of the files were accessed during the breach.
According to LifeLabs, information relating to approximately 15 million customers on the computer systems that were potentially accessed in this breach. The vast majority of these customers are in B.C. and Ontario, with relatively few customers in other locations.
There are 85,000 impacted customers from in Ontario whose lab tests results may have compromised.
The results are from 2016 and earlier. LifeLabs said it will work to notify those customers directly.
LifeLabs told officials cybercriminals penetrated their systems, extracted data and demanded a ransom.
A statement on the company’s website by LifeLabs president and CEO Charles Brown says they apologize for the breach and consulted with “world-class cybersecurity experts” to isolate the incident and determine the scope of the incident.
They also say on the advice of experts, they paid a sum of money. The Toronto-based company declined to say how much money was paid to secure the data.
LifeLabs contacted provincial officials about the breach on Nov. 1 – but didn’t make a public announcement until nearly seven weeks later on Dec. 17.
“The breach of sensitive personal health information can be devastating to those who are affected,” said Michael McEvoy, Information and Privacy Commissioner for B.C.
“Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”
“An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario.
“Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”
LifeLabs says cyber experts told them the risk to customers is low, and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.
They say the vast majority of those impacted are in B.C. and Ontario, with relatively few customers in other locations.
The company says any customer who is concerned about the incident can receive one free year of information protection.
They added that they have strengthened their systems to deter future incidents.
The incident is only the latest data breach to affect Canadian consumers.
The Desjardins Group revealed in December that a data breach in June hit 4.2 million members, all of its clients.
The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.
In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline’s mobile app.
In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.
With files from The Canadian Press