Statement from the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia on LifeLabs Privacy Breach

Commissioners investigating cyberattack affecting health care
information of millions of customers

TORONTO, Dec. 17, 2019 /CNW/ - The Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) are undertaking a coordinated investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs.

LifeLabs is Canada's largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions ? LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.

On November 1, 2019, LifeLabs reported a potential cyberattack on their computer systems to the IPC and the OIPC. Shortly thereafter, they confirmed they were the subject of an attack affecting the personal information of millions of customers, primarily in Ontario and British Columbia. They told us that the affected systems contain information of approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers, and lab tests. LifeLabs advised our offices that cyber criminals penetrated the company's systems, extracting data and demanding a ransom. LifeLabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data.

The coordinated IPC/OIPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it, and what, if any, measures Lifelabs could have taken to prevent and contain the breach. We will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

"An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant," says Brian Beamish, Information and Privacy Commissioner of Ontario. "Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and healthcare organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times."

"I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected," says Michael McEvoy, Information, and Privacy Commissioner for BC. "Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete."

The IPC and OIPC are reaching out to the information and privacy commissioners of other jurisdictions with affected customers.

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.

Note to media: We will not discuss the details of the investigation while it is ongoing. Our offices will issue a public report once the investigation is complete.

LifeLabs Privacy Breach
December 17, 2019

Backgrounder 

When were you notified of the breach?

On November 1, LifeLabs notified both the Office of the Information and Privacy Commissioner of Ontario and the Information and Privacy Commissioner for British Columbia that, through their cybersecurity monitoring systems, they had detected a potential breach. LifeLabs has since confirmed they were the subject of a cyberattack on their computer systems. They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom. LifeLabs paid the ransom to secure the data.

How many people were affected?

LifeLabs is still investigating the number of people who were affected but we understand this is a large-scale breach of systems containing information of an estimated 15 million people.

LifeLabs has advised that the vast majority of their customers are in B.C. and Ontario with very few customers in other locations and that if customers have visited LifeLabs for a test, or received a test or service from LifeLabs Genetics and Rocky Mountain Analytical, their information is likely in their database.

What kind of information was affected?

LifeLabs has informed us that the information in the systems includes names, addresses, emails, customer logins and passwords, date of birth, health card numbers, and, for some customers, lab tests.

What role are the privacy commissioners playing?

The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC are investigating this incident. As part of this investigation, we are working to assess:

• the impact of the breach
• the adequacy of LifeLabs' security measures and response to the breach, and
• what measures will be necessary to avoid further breaches.

When will the investigation be complete?

We are hoping to complete the investigation as soon as possible. However, each case is unique and the timing subject to the specific context. We also want to ensure that our investigation is thorough and canvasses all of the issues that concern the public.

Our findings and recommendations will be made public when the investigation is complete.

What can organizations do to protect themselves from cyberattacks?

Various strategies for defending against and responding to a cyberattack include:

• employee training
• limiting user privileges
• software protection

Depending on the size and scope of the organization, they may want to hire a third party security consultant to assist in making sure data systems are secure and protected.

Unfortunately, these kind of attacks ? and the bad actors who perpetrate them ? are becoming increasingly sophisticated.

Even if an organization does everything right, there is no guarantee that they will not fall victim to a cyberattack.

It's important to be vigilant, and continuously examine cybersecurity systems, including staff training and other technical and administrative measures. 

There is guidance available for organizations that outline steps to protect personal data from cyberattack and how to respond to a privacy breach. They include:

• Protect Against Phishing
• Privacy Breaches ? Guidelines for Public Sector Organizations
• Privacy Breaches ? Guidelines for the Health Sector
• Protecting Against Ransomware

What can someone do if they are affected by the breach?

We recognize that a breach of sensitive personal information can cause distress for those who are affected.

LifeLabs has indicated that any individual concerned about the incident can receive free protection that includes web monitoring and identity theft insurance. Customers should visit www.customernotice.lifelabs.com or call 1-888-918-0467.

People affected by the breach are not required to file individual complaints with our office. Our investigation is already underway and we will release our findings and recommendations once it is completed. We will be working to address the interests of everyone affected by this breach.

Brian Beamish
Information and Privacy Commissioner of Ontario

Michael McEvoy
Information and Privacy Commissioner for British Columbia

SOURCE Office of the Information and Privacy Commissioner/Ontario