Skip to content

Commissioners investigating Lifelabs privacy breach affecting millions

The Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) are undertaking a co-ordinated investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs.

LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions: LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.

On Nov. 1, 2019, LifeLabs reported a potential cyberattack on their computer systems to the IPC and the OIPC. Shortly thereafter, they confirmed they were the subject of an attack affecting the personal information of millions of customers, primarily in Ontario and British Columbia. They told us that the affected systems contain information of approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers and lab tests. LifeLabs advised our offices that cyber criminals penetrated the company’s systems, extracting data and demanding a ransom. Lifelabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data.

The co-ordinated IPC/OIPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it and what, if any, measures Lifelabs could have taken to prevent and contain the breach. We will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” said Brian Beamish, information and privacy commissioner of Ontario. “Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”

Michael McEvoy, information and privacy commissioner for B.C. said, “I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected. Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”

The IPC and OIPC are reaching out to the information and privacy commissioners of other jurisdictions with affected customers.

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit customernotice.lifelabs.com(http://www.customernotice.lifelabs.com/) or contact LifeLabs at 1 888 918-0467.

What do you think about this story?