LifeLabs, a Canadian laboratory testing and diagnostics services provider, reported of a Ransomware attack to the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) on November 1, 2019. Under careful monitoring and expert advice from top cybersecurity , LifeLabs finally bowed down and paid an undisclosed ransom amount to regain access to its 15 million customers’ personal data and close to 85,000 Laboratory Test Results.
LifeLabs confirmed that they were subject to an attack affecting the personal information of customers based mainly in the states of Ontario and British Columbia. The compromised customer data included personal information such as names, addresses, emails, usernames and passwords, health card numbers, and lab tests.
“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “Cyberattacks are a growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and health care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”
Although the stolen data was dated before 2016, a data breach this big cannot be dusted under the carpet. Taking complete responsibility of this lapse, Charles Brown, LifeLabs President and CEO said, “Personally, I want to say I am sorry that this happened. As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously.”
He emphasized “that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”
LifeLabs also said that they have taken all required and prescribed remedial measures to patch the flaws in the affected systems and their corresponding networks. In addition, they have also agreed to provide cybersecurity protection services such as identity theft and fraud protection insurance to all its affected customers.