Hackers steal data for 15 million patients, then sell it back to lab that lost it
Canada’s biggest provider of specialty laboratory testing services said it paid hackers an undisclosed amount for the return of personal data they stole belonging to as many as 15 million customers.
Toronto, Ontario-based LifeLabs Notified Canadian authorities of the attack on November 1. The company said a cyberattack struck computer systems that stored data for about 15 million customers. The stolen information included names, addresses, email addresses, customer logins and passwords, health card numbers, and lab tests.
The incident response, company President and CEO Charles Brown said in a statement, included “retrieving the data by making a payment.” The executive added: “We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals.” The statement didn’t say how much LifeLabs paid for the return of the data. Representatives didn’t immediately respond to an email seeking the amount.
According to an advisory issued by the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia: “LifeLabs advised our offices that cyber criminals penetrated the company’s systems, extracting data and demanding a ransom. LifeLabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data.”
LifeLabs said that its investigation so far indicates that the accessed test results were from 2016 or earlier and belonged to about 85,000 customers. Accessed health card information was also from 2016 or earlier. So far, there’s no indication any of the stolen data has been distributed to parties other than LifeLabs.
The LifeLabs statement said that company officials have fixed the system that led to the breach. The company is providing a year of free identity theft monitoring and identity theft insurance. Affected customers can sign up for the help here.