15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company

A major data breach has been reported by one of Canada’s largest medical testing and diagnostics companies. Toronto-based LifeLabs said hackers have potentially gained access to the personal and health information of up to 15 million customers, most of whom are in British Columbia and Ontario. The number of people potentially affected makes this one of the largest healthcare ransomware attacks to date. The privacy commissioners in both provinces said the scale of the attack “extremely troubling.”

After gaining access to its systems, the attackers deployed ransomware and encrypted an extensive amount of customer data. The cyberattack is still under investigation, so it is unclear what, if any, data has been stolen. It has been confirmed that the attackers gained access to parts of the system that contained the test results of around 85,000 Ontarians. The test results were from 2016 and earlier. No evidence has been found to suggest more recent test results, or medical test results from customers in other areas, have been compromised.

Some of those test results include highly sensitive health information that could potentially be used for blackmail. Other sensitive data potentially accessed includes names, email addresses, health card numbers, dates of birth, usernames, and passwords. To date, it appears that the compromised information has not been misused and the data does not appear to have been disclosed online. Based on the initial findings of the investigation, the risk to customers is believed to be low.

It is unclear whether LifeLabs had viable backups to restore the data, but the decision was taken to pay the ransom. The amount of the ransom has not been publicly disclosed. “We wanted to get the data back,” said LifeLabs chief executive Charles Brown. “We thought it was the smart thing to do because it was just in the best interests of our customers.”

Cybersecurity and computer forensics experts were engaged to secure its systems and determine the full scope of the attack. It may take some time to discover whether any customer data has been stolen by the attackers.

The attack is believed to have started on or before November 1, 2019, but the cyberattack was only disclosed to the public on December 17, 2019. Affected individuals are now being notified and have been offered one year of complimentary credit monitoring and identity theft protection services.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.