LifeLabs cyber attack could impact 15 million customers

WELLINGTON COUNTY – It’s unknown how many local residents are impacted by a recent cyber attack on LifeLabs.

The breach, announced on Dec. 17, involved access to customer information that could include name, address, email, login, passwords, date of birth, health card number and lab test results.

According to the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) the cyber attack was reported on Nov. 1.

“LifeLabs advised our offices that cyber criminals penetrated the company’s systems, extracting data and demanding a ransom,” a joint IPC and OIPC press release stated.

“LifeLabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data.”

The IPC and OIPC will complete a joint investigation that will look at the scope of the incident, how it happened, what could have prevented the breech and possible steps to prevent similar attacks.

“I am sorry this happened,” said LifeLabs president and CEO Charles Brown in an open letter on the lab’s website. “As we manage through this issue, my team and I remain focused on the best interests of our customers.

“You entrust us with important health information and we take that responsibility very seriously.”

The attackers potentially had access to information on 15 million customers, mostly from Ontario and BC.

As of Dec. 17 the company’s investigation indicates there are 85,000 impacted customers from 2016 or earlier located in Ontario. Those customers will be contacted directly.

LifeLabs spokesperson Roy Saad said he is unable to identify how many of those customers are from Wellington County.

The only full lab in the county is located in Fergus, according to Saad.

“I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations,” Brown said.

Both the IPC and OIPC are concerned about the breach.

“An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant.”

He said cyber attacks are a growing criminal phenomena and attackers are becoming more and more sophisticated.

“Public institutions and health care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times,” Beamish said.

Since the breach, LifeLabs has undertaken certain measures to help ensure the safety of customer information:

– engaging with cyber security experts secure information and find out what happened;

– strengthening systems to ensure something like this can’t happen again;

– paying to get information back from the attackers;

– working with law enforcement; and

– offering cyber security protection services to customers, which can be accessed at https://customernotice.lifelabs.com

Those affected by the cyber attack can find out more at customernotice.lifelabs.com or 1-888-918-0467.

However, the IPC and the OIPC said affected individuals do not need to contact them directly.

“Our investigation is already underway and we will release our findings and recommendations once it is completed,” IPC and OIPC officials stated. “We will be working to address the interests of everyone affected by this breach.”

 

Reporter

Comments