4.7M of B.C.'s 5M residents may have been impacted by LifeLabs cyberattack: privacy commissioner

VANCOUVER -- So far in the investigation, it appears that an estimated 4.7 million British Columbians may have been impacted by a data breach at a medical laboratory company late last year.

The Office of the Information and Privacy Commissioner for B.C. confirmed the number Friday in an email to CTVNewsVancouver.ca.

The latest number is not far off the initial estimate by the OIPC that "up to five million" British Columbians might be affected. According to Statistics Canada data, the total population of British Columbia last year was 5.071 million.

The investigation is ongoing, and the OIPC said the number may change as more information is uncovered.

The massive cyberattack targeted a laboratory testing company with locations across Canada – primarily in B.C. and Ontario.

The company's website claims more than a million Canadians use its services, and more than 112 million tests are performed by its labs each year.

Earlier Friday, Alberta's privacy commissioner said nearly 22,000 Albertans may have been part of the estimated 15 million Canadians that could have had their data compromised. 

• Read more on CTVNewsEdmonton.ca

The company itself estimates about 85,000 lab test customers were impacted.

The breach prompted multiple class action lawsuits, including one filed on behalf of a B.C. care aid. 

That suit alleges the company lacked "adequate security" and training for its employees, and that it should have notified customers as soon as it happened.

LifeLabs notified the OIPC about the breach on Nov. 1, but the public was not made aware of the incident for six more weeks.

Soon after the OIPC was informed, LifeLabs confirmed that cyber criminals had penetrated the company's systems.

They took data and demanded a ransom, which was paid at least in part by LifeLabs in hopes of retrieving the data. The exchange of money involved a collaboration with cyberattack experts.

At the time, LifeLabs president and CEO Charles Brown called the hack a "wake-up call," and said "We all need to up our game to protect our customer data."

B.C.'s health minister defended the decision to wait to inform patients, saying in December that LifeLabs asked for that time to secure its system so it wouldn't be vulnerable to another attack after making the announcement.

It is not yet known what data hackers were able to obtain, but a notice sent to some patients earlier this month suggested access was obtained to systems with information including lab test results.

Hackers may also have obtained logins, passwords, appointment booking accounts, birth dates, health card numbers, genders, phone numbers, password security questions, names, addresses and email addresses.

Customers were told that the portals on LifeLabs' site called "my ehealth" and "my results" were not affected.

"Please be advised that this message does not mean that you are one of the 85,000 lab test customers impacted. These customers are primarily based in Ontario," LifeLabs said in an email to a customer sent earlier this month.

"If you are one of these customers, you will be notified by us separately."

The email said cybersecurity firms suggest the risk to customers is low, and that so far, there have been no attempts to publicly post any data obtained in the breach.

The company said anyone who uses its services will be required to set up a new password the next time they log in, if they haven't already done so.

"You are entitled to file a complaint with the privacy commissioners. However, we have already notified them of this attack and they are investigating the matter," the email said.

"We are very sorry that this happened."

Anyone concerned is asked to contact the LifeLabs hotline at 1-800-431-7206.

Read LifeLabs' open letter to customers and more on the company's response to the attack.