Summary:

Statement from the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia on
LifeLabs Privacy Breach

Commissioners investigating cyberattack affecting health care information of millions of customers

TORONTO – Tuesday, December 17, 2019 – The Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) are undertaking a coordinated investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs.

LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions – LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.

On November 1, 2019, LifeLabs reported a potential cyberattack on their computer systems to the IPC and the OIPC. Shortly thereafter, they confirmed they were the subject of an attack affecting the personal information of millions of customers, primarily in Ontario and British Columbia. They told us that the affected systems contain information of approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers, and lab tests. LifeLabs advised our offices that cyber criminals penetrated the company’s systems, extracting data and demanding a ransom. LifeLabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data.

The coordinated IPC/OIPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it, and what, if any, measures Lifelabs could have taken to prevent and contain the breach. We will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” says Brian Beamish, Information and Privacy Commissioner of Ontario. “Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and healthcare organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”

“I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected,” says Michael McEvoy, Information, and Privacy Commissioner for BC. “Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”

The IPC and OIPC are reaching out to the information and privacy commissioners of other jurisdictions with affected customers.

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.

Note to media: We will not discuss the details of the investigation while it is ongoing. Our offices will issue a public report once the investigation is complete.

Brian Beamish
Information and Privacy Commissioner of Ontario

Michael McEvoy
Information and Privacy Commissioner for British Columbia

 

Media contacts:

Office of the Information and Privacy Commissioner of Ontario
Jason Papadimos
media@ipc.on.ca
416-326-3965

Office of the Information and Privacy Commissioner for British Columbia
Jane Zatylny
jzatylny@oipc.bc.ca
250-415-3283