Government privacy commissioners are investigating a data breach at LifeLabs, one of Canada's largest medical services companies, after hackers gained access to the personal information of up to 15 million customers.
``The vast majority of these customers are in B.C. and Ontario, with relatively few customers in other locations,'' said LifeLabs chief executive Charles Brown in a public statement issued Tuesday.
LifeLabs said that the compromised database included health card numbers, names, email addresses, login, passwords and dates of birth but said it wasn't sure how many of the files were accessed during the breach.
However, it said the hackers did obtain test results from as many as 85,000 Ontario residents, dated 2016 and earlier.
The company said it hired cyber security experts to secure the system and determine the scope of the attack, and paid an undisclosed amount of money as ransom to secure the information.
LifeLabs also said there was no evidence that test results from outside Ontario were compromised.
Privacy commissioners from B.C. and Ontario said they would examine the scope of the breach, the circumstances leading to it, and what measures LifeLabs could have taken to prevent and contain it.
LifeLabs contacted provincial officials about the breach on Nov. 1 _ but didn't make a public announcement until nearly seven weeks later on Dec. 17.
``Our independent offices are committed to thoroughly investigating this breach,'' B.C. privacy commissioner Michael McEvoy said in a joint statement with his Ontario counterpart.
``Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times,''
Ontario privacy commissioner Brian Beamish said.
The company says it is offering customers one year of free protection that includes dark web monitoring and identity theft insurance.
However, the release of potentially valuable private information could open LifeLabs to one or more civil actions from victims seeking compensation.
For example, two class-action lawsuits have been initiated in Quebec Superior Court as a result of a breach at Desjardins Group, a Quebec-based financial co-operative.
Desjardins originally announced in June that personal information of more than 2.9 million members had been shared outside the organization, later upgraded to 4.2 million members.
The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.
In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline's mobile app.
In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.
The company released the following letter:
To our customers:
Through proactive surveillance, LifeLabs recently identified a cyber-attack that involved unauthorized access to our computer systems with customer information that could include name, address, email, login, passwords, date of birth, health card number and lab test results.
Personally, I want to say I am sorry that this happened. As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously.
We have taken several measures to protect our customer information, including:
Immediately engaging with world-class cyber security experts to isolate and secure the affected systems and determine the scope of the attack;
Further strengthening our systems to deter future incidents;
Retrieving the data by making a payment. We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals;
Engaging with law enforcement, who are currently investigating the matter; and
Offering cyber security protection services to our customers, such as identity theft and fraud protection insurance.
I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.
We have fixed the system issues related to the criminal activity and worked around the clock to put in place additional safeguards to protect your information. In the interest of transparency and as required by privacy regulations, we are making this announcement to notify all customers. There is information relating to approximately 15 million customers on the computer systems that were potentially accessed in this breach. The vast majority of these customers are in B.C. and Ontario, with relatively few customers in other locations. In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly. Our investigation to date indicates any instance of health card information was from 2016 or earlier.
While you are entitled to file a complaint with the privacy commissioners, we have already notified them of this attack and they are investigating the matter. We have also notified our government partners.
While we've been taking steps over the last several years to strengthen our cyber defenses, this has served as a reminder that we need to stay ahead of cybercrime which has become a pervasive issue around the world in all sectors.
Any customer who is concerned about this incident can receive one free year of protection that includes dark web monitoring and identity theft insurance. For more information and to learn more on how to sign up for cyber security protection services, please visit https://customernotice.lifelabs.com.
Yours sincerely,
Charles Brown
President and CEO
LifeLabs