Canadian lab pays hackers to recover data on 15M customers

illustration of closed padlock on digital background representing cybersecurity
Hackers breached LifeLabs' computer systems, extracted data, and demanded a ransom to return the data to the company. (ranjith ravindran/Shutterstock)

Canadian lab LifeLabs paid hackers to retrieve patients' data stolen during a data breach in November.

The breach potentially impacted 15 million customers based on the amount of medical information on the computer systems that were accessed in the breach, the company said in a notice on its website.

LifeLabs is Canada's largest provider of laboratory diagnostics and testing services. The information accessed by the hackers included patient names, addresses, email, login, passwords, date of birth, health card numbers and lab test results.

Product Spotlight

Top-Rated Mobile App for Health Insurance Members

Zipari’s Mobile App is the smarter, easier, and better way for payers to engage members on the go and directly in the palm of their hands. Members can find the right doctors, receive notifications, send messages, view claims, track spending, talk to a nurse, download ID card, and more. It’s ready to install and launch in a few months.

The company retrieved the information by making a payment, the company said but did not specify how much it paid the hackers.

"We did this in collaboration with experts familiar with cyber-attacks and negotiations with cybercriminals," LifeLabs said in the notice.

LifeLabs said the hackers breached its systems, extracted customer data and then demanded a ransom to give the company back its data.

RELATED: Third medical testing company impacted by AMCA breach as Congress seeks answers

The stolen data was dated 2016 and earlier, the company said. The majority of customers are in British Columbia and Ontario, with relatively few customers in other locations.

"In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly," LifeLabs said. 

According to documents the company filed with Office of the Information and Privacy Commissioner of Ontario and the Office of the Information (IPC) and Privacy Commissioner for British Columbia (OIPC), the breach occurred around November 1.

The privacy officials have launched a coordinated investigation into the cyberattack to determine what, if any, measures Lifelabs could have taken to prevent and contain the breach

"An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” Brian Beamish, Information and Privacy Commissioner of Ontario, said in a statement.

Beamish said cyberattacks are a "growing criminal phenomena" and perpetrators are becoming increasingly sophisticated.

RELATED: Quest, LabCorp data breach highlights cyber risk from vendors: Moody's

"Public institutions and healthcare organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times," he said.

Earlier this year, four U.S.-based clinical labs, including Quest Diagnostics and LabCorp, were impacted by a massive security breach at a third-party billing collections firm. That breach potentially exposed over 22 million patients' data.

The company is working with cybersecurity firms to determine the scope of the breach. LifeLabs also is offering cybersecurity protection services to customers, such as identity theft and fraud protection insurance. Customers also can get one year of free protection that includes dark web monitoring and identity theft insurance, the company said.

In the notice to customers, LifeLabs president and CEO Charles Brown said cybersecurity firms have advised that the risk to customers is "low" as there has been no indication that customer data has been publicly disclosed.

"Personally, I want to say I am sorry that this happened," Brown said in the notice to customers. "As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously."

Suggested Articles

A new study found that more than half of doctors don't believe drug-resistant superbugs are a major concern for their practice.

Blue Shield of California is teaming up with Cricket Health to offer coordinated care to members with late-stage and end-stage renal disease.

Congress should pass another $50 billion in provider relief funding and spur more participation in alternative payment models, advocates say.