Privacy breach at medical lab could affect millions in B.C., Ontario

VANCOUVER -- The private information of millions of Canadians could be at risk after a cyberattack was conducted against the computer systems of LifeLabs, a laboratory testing company.

The privacy commissioners' offices in both British Columbia and Ontario are co-ordinating an investigation into the attack, which has affected systems containing information belonging to about 15 million customers – including up to 5 million in B.C.

The information systems contain client data including names, addresses, emails, customer logins and passwords, health card numbers and lab tests, the Office of the Information and Privacy Commissioner for British Columbia said in a statement.

The OIPC said LifeLabs reported a potential cyberattack on Nov. 1 and soon after, confirmed that cyber criminals penetrated the company's systems, took data and demanded a ransom. LifeLabs said in a statement that it's making a payment in the hopes of retrieving the data, which is being done in collaboration with cyber-attack experts.

In response to the breach, LifeLabs president and CEO Charles Brown offered an apology to customers Tuesday.

"I think it's a wake up call for all of us," Brown told CTV News. "These cyber criminals are upping their game as far as their capabilities, and we all need to up our game to protect our customer data."

While the breach was apparently detected through proactive surveillance, the company didn't notify the public for six weeks. B.C. Health Minister Adrian Dix said the company asked for time make sure its system was secure and not vulnerable to secondary attacks.

"There was a delay to ensure that information that hadn't been compromised wouldn't be compromised and information that could be protected was protected," Dix said.

LifeLabs says it will contact 85,000 customers who went to a lab in Ontario in 2016 or earlier because their lab test results may have been impacted.

A dedicated phone line (1-888-918-0467 or 1-800-431-7206 for B.C. residents) has also been set up where people can inquire about further information and the company is offering 12 months of "protection that includes dark web monitoring and identity theft insurance" through TransUnion. 

To access that service, customers will need to call the dedicated phone line and ask for an activation code.

Moving forward, LifeLabs says it has asked outside cybersecurity consultants to investigate and help with restoring security of the data. 

LifeLabs also says it's fixed the affected systems and that the majority of the information on the relevant computer belongs to B.C. and Ontario customers with "relatively few" customers impacted in other areas. 

"I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations," Brown's statement says. 

Meanwhile, the co-ordinated investigation between Ontario and B.C. privacy offices will take a look at the scope of the breach, what led to it and if LifeLabs could have prevented the situation altogether. 

"I am deeply concerned about this matter," said Michael McEvoy, privacy commissioner for B.C., in a news release. 

"The breach of sensitive personal health information can be devastating to those who are affected. Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete." 

With files from CTV News Vancouver's Bhinder Sajan and CTVNews.ca's Adam Ward

Have you been contacted by LifeLabs as a victim of the data breach? Tell us your story at bcassign@ctv.ca.