Privacy breach at LifeLabs affects roughly 15 million customers, many from B.C.

VICTORIA -- Privacy commissioners in B.C. and Ontario are warning LifeLabs customers of a massive security breach.

According to B.C.'s Office of the Information and Privacy Commissioner (OIPC), LifeLabs reported the cyberattack on their computer systems on Nov. 1, which affected systems that contained information on approximately 15 million customers, the majority of which are B.C. and Ontario residents.

The information included names, addresses, emails, customer logins and passwords, health card numbers and lab test results.

LifeLabs also told the OIPC that the hackers then held the information they stole for ransom, which prompted the company to hire outside cybersecurity consultants to investigate and help restore data security. 

The OIPC and Ontario's Information and Privacy Commissioner (IPC) now say they are investigating the cyberattack, as well as reviewing the scope of the breach, the circumstances leading up to it and if there were any measures LifeLabs could have taken to prevent the information theft. 

Both commissioner offices are also looking into ways to help LifeLabs improve their security in the future.

"I am deeply concerned about this matter," said Michael McEvoy, information and privacy commissioner for B.C. in a news release Tuesday. "The breach of sensitive personal health information can be devastating to those who are affected.

Following the breach, LifeLabs has created a dedicated call centre for customers to contact if they are seeking further information about the incident. The call centre can be reached at 1-888-918-0467.

"Our independent offices are committed to thoroughly investigating this breach," said McEvoy. "We will publicly report our findings and recommendations once our work is complete."

LifeLabs is Canada's largest general diagnostic and specialty laboratory testing service. The company has four main divisions across the country, LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical and Excelleris.

"An attack of this scale is extremely troubling," said Brian Beamish, information and privacy commissioner of Ontario. "I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."

"Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated," added Beamish. "Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times."