LifeLabs Pays Hackers Who Accessed 15M Customers’ Lab Test Results

The data breach disclosure was met with ire from customers whose lab test results, health card numbers and more were accessed.

LifeLabs, a Canadian laboratory testing company, said it has paid hackers after they accessed the data of 15 million customers – including highly-sensitive lab test results.

In a letter sent Tuesday to customers, LifeLabs said that the breach affected customer information including names, addresses, emails, logins, passwords, dates of birth, health card numbers (for health insurance) and lab test results. After the cyberattack, the company said that it “retrieved the data by making a payment.”

“We have fixed the system issues related to the criminal activity and worked around the clock to put in place additional safeguards to protect your information. In the interest of transparency and as required by privacy regulations, we are making this announcement to notify all customers,” LifeLabs president and CEO Charles Brown in a Tuesday announcement.

LifeLabs, Canada’s top laboratory diagnostic data provider, said it supports 20 million patient visits annually and conducts over 100 million lab tests. The company did not say when the breach occurred or how its systems were infiltrated. Threatpost has reached out for more details.

The majority of the 15 million affected customers are in B.C. and Ontario, with relatively few customers in other locations, according to LifeLabs.

“In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly,” said Brown. “Our investigation to date indicates any instance of health card information was from 2016 or earlier.”

LifeLabs said that since the attack, it has engaged with security experts and law enforcement, isolated and secured the affected systems, and offered cybersecurity protection to customers (including identity theft and fraud protection insurance).

However, the company’s data breach disclosure on Twitter was met with rancor from customers, who demanded more details around the timeline of the breach and how data was being secured.

While LifeLabs did not mention ransomware in their disclosure, “this appears to be a successful extortion attack upon LifeLabs given that they have paid their criminal attackers to have the stolen data returned,” Brian Higgins, security specialist at Comparitech, said in an email. “Only after thorough investigation by the relevant authorities will this be confirmed and until then there remains the possibility that other cyber criminals may be in possession of the data. The compensatory offer of free Dark Web monitoring and password advice are a nice touch but by far the most critical threat to LifeLabs customers is further exploitation by criminal organizations.”

Healthcare organizations continue to be hit by cyberattacks; with New Jersey’s largest hospital system just this past week saying that it has paid hackers a ransom after a ransomware attack disrupted its services earlier this month. Other hospitals and healthcare networks that have been hit by ransomware over the past few months, including the DCH Health System.

While there have been many breaches this past year, healthcare-related cyberattacks like this latest one “hits a little closer to home as it directly impacts the medical records of our families and loved ones,” Irfahn Khimji, CISSP, country manager for Canada at Tripwire, said in an email.  “While some of the information compromised cannot be changed, there is some due diligence that consumers can take.   If one’s login credentials used to access the LifeLabs portal are used on other sites, it is a good idea to change those passwords as well as consider using a password manager moving forward.  Where possible, it is also a good idea to enable multi-factor authentication.”

Suggested articles