LifeLabs Medical Laboratory Services, Canada’s largest lab testing company, has paid a ransom after a major cyberattack led to the theft of lab results for 85,000 Ontarians and potentially the personal information of 15 million customers.
The personal information stolen from the lab test provider could include a customer’s name, address, e-mail, login, passwords, date of birth and health card number, all of which were on the computer systems the hackers accessed.
LifeLabs paid an undisclosed sum to retrieve the data, the company said on Tuesday, and also hired cybersecurity experts to asses the damage. The hired firms “have advised that the risk to our customers in connection with this cyberattack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”
LifeLabs is owned by the investment arm of Ontario Municipal Employees Retirement System. The company was originally founded by five entrepreneurs from IBM who hoped to create systems for health-care professionals. In 2013, LifeLabs became the dominant player in Canada’s lab testing market after it acquired B.C. Biomedical Laboratories and CML HealthCare.
At the time, bulking up was seen as necessary because medical laboratories are mostly paid by provincial health ministries and are therefore under constant pressure to cut costs. Scale was thought to give LifeLabs the ability to test as efficiently as possible.
The majority of its customers today are in British Columbia and Ontario.
The cyberattack follows a massive data breach at Desjardins Group this year that affected all 4.2 million of its customers, which resulted in the banking co-operative’s chief executive officer testifying in front of provincial legislators in Quebec last month. However, that breach, which involved personal information including social insurance numbers but not banking information or passwords, was the result of an employee who went rogue.
Exact details of the LifeLabs breach have yet to be made public, but there has been a spike upward of attacks across North America in which hackers break into computer servers in hopes of selling the information back to the affected entity. Despite the rising frequency of corporate data breaches, the theft from LifeLabs marks a rare hack of a health-care body.
Because attacks are so common, some companies now pay for cyberinsurance in the event they have to pay a ransom after an attack. In an interview, LifeLabs CEO Charles Brown said the company had purchased cyberinsurance, but did not provide details on the coverage.
While there is no guarantee the stolen data will remain secure, Mr. Brown said the cyberexperts hired have told LifeLabs that the threat of sensitive information getting out is “very low,” and they know this from monitoring the previous experience of companies that had data breaches, and then agreed to pay the hackers.
For customers who are concerned, LifeLabs has offered to cover one year of data protection that includes dark web monitoring as well as identity theft insurance. The company said it had already notified provincial privacy commissioners of the breach, and they are investigating the matter.
The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia issued a joint statement on Tuesday saying they are undertaking a co-ordinated investigation into the LifeLabs attack. The two privacy bodies said their review will examine the circumstances leading to the breach, what measures LifeLabs could have taken to prevent it and what the company is doing to prevent future attacks.
Ontario’s Privacy Commissioner added that cyberattacks are a growing criminal phenomenon, and public institutions and health-care organizations are responsible for ensuring personal information is secure.
LifeLabs performs 112 million laboratory tests each year at 382 collection centres across British Columbia, Ontario and Saskatchewan. The company is run by Mr. Brown, who previously led electronics retailer The Source and before that was a senior vice-president at BCE Inc.
Globally, notable corporate data thefts in recent years have included attacks on Marriott International Inc. and Equifax Inc. yet both companies are now trading near record highs, suggesting investors at least have become desensitized to the breaches.