TORONTO—Government privacy commissioners are investigating a data breach at LifeLabs, one of Canada's largest medical services companies, after hackers gained access to the personal information of up to 15 million customers.
Most of its customers are in B.C. and Ontario, with relatively few customers in other locations, the company said Tuesday.
“I'm sorry this happened and we'll do everything we can to win back the confidence of our customers,” LifeLabs chief executive Charles Brown said in an interview.
He called the incursion a sophisticated attack that is a wake-up call for the industry.
“Whether you're a private company, a government, a hospital, we're all seeing these attacks rise and there's more and more of them and we've collectively got to do more to make sure all our customers feel secure.”
LifeLabs said that the compromised database included health card numbers, names, email addresses, login, passwords and dates of birth but said it wasn't sure how many of the files were accessed during the breach.
However, it said the hackers did obtain test results from as many as 85,000 Ontario residents, dated 2016 and earlier.
The company said it hired cyber security experts to secure the system and determine the scope of the attack, and paid an undisclosed amount of money as ransom to secure the information.
Brown said it was a hard decision to pay the ransom but he believed customers would want it to do everything possible to retrieve their data.
“We wanted to get the data back," he said. "We thought it was the smart thing to do because it was just in the best interests of our customers.”
Paying ransom is a fairly common business decision that can have some negative consequences, said David Masson, director of enterprise security for cybersecurity firm Darktrace.
“If you pay you're telling the threat actors that you will pay; you're quite likely to get hacked again or they'll tell other threat actors that these people pay. So you could put yourself in a whole world of pain,” he said in an interview.
It also implies that the company has no other option to get the data back and doesn't guarantee that all will be returned.
Masson also believes the data never left the LifeLabs system but was encrypted and never left the system.
While customers will be concerned that their medical test results could be released, the real risk is the unauthorized use of identifiable information that can be used to open a bank account, get a credit card, obtain a loan or buy a vehicle, he added.
“That's why this kind of data is so valuable on the dark web, because they can use your identification to obtain financial gain from your identity and that's the real issue around stealing this kind of information.”
LifeLabs also said there was no evidence that test results from outside Ontario were compromised.
Privacy commissioners from B.C. and Ontario said they would examine the scope of the breach, the circumstances leading to it, and what measures LifeLabs could have taken to prevent and contain it.
LifeLabs contacted provincial officials about the breach on Nov. 1—but didn't make a public announcement until nearly seven weeks later, on Dec. 17.
“Our independent offices are committed to thoroughly investigating this breach,” B.C. privacy commissioner Michael McEvoy said in a joint statement with his Ontario counterpart.
“Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times,” Ontario privacy commissioner Brian Beamish said.
The company says it is offering customers one year of free protection that includes dark-web monitoring and identity theft insurance.
However, the release of potentially valuable private information could open LifeLabs to one or more civil actions from victims seeking compensation.
For example, two class-action lawsuits have been initiated in Quebec Superior Court as a result of a breach at Desjardins Group, a Quebec-based financial co-operative.
Desjardins originally announced in June that personal information of more than 2.9 million members had been shared outside the organization, later upgraded to 4.2 million members.
The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.
In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline's mobile app.
In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.