British Columbia

LifeLabs users wise to worry about fraud, ID theft after mass data breach say experts

Experts say the unprecedented data breach is a serious wake-up call and the 15 million customers impacted should be concerned about identity theft and credit fraud.

'Identify theft will invariably arise,' says former Ontario privacy commissioner

LifeLabs President and CEO Charles Brown said the majority of the compromised data was from 2016 or earlier, while information stolen is from 2019 and is related to a server where people could book an appointment online. (Ben Nelms/CBC)

About 15 million people in B.C. and Ontario may have had their personal information exposed online. The medical testing company LifeLabs says it was the victim of a cyberattack earlier this year.

In a letter to its customers, LifeLabs wrote that it takes its responsibility seriously and has taken measures, after consulting with experts on cyberattacks, to retrieve the sensitive data by making a payment to the hackers.

According to Charles Brown, president and CEO of LifeLabs, the attack happened on Oct. 28 and the breach was reported to privacy commissioners in B.C. and Ontario on Nov. 1.

Brown said the majority of the compromised data is from 2016 or earlier, while some information stolen is from 2019 and is related to a server where people could book an appointment online. 

In Ontario, 85,000 people are estimated to have had their lab test information stolen.

"Whether a cholesterol test or genetic test, people expect us, and hold us accountable, to manage that data for them and we take the responsibility seriously," said Brown on CBC's The Early Edition Wednesday.

He said cyber experts have told him the hackers' intent was to receive ransom money rather than use the personal information they stole.

"The view of these crimes is they are not actually interested in the individual data themselves they are interested in the company," said Brown.

Proactive protection critical

Anne Cavoukian, former Ontario information and privacy commissioner, said there is no guarantee the hackers did not make a copy of the data they stole to use or sell for nefarious purposes.

"Even without accessing the health data, your personal information .... can be used to open a bank account, obtain a loan, get a credit card or buy a car," she said. "Identify theft will invariably arise."

Cavoukian questioned on CBC's The Early Edition Wednesday how strongly secured the data was in the first place and said companies need to be proactive about protecting their data holdings, including encrypting it.

"I'm hoping this will serve as a wake up call for anyone collecting health data to secure that data and devote the proper resources to secure that data from the outset," said Cavoukian.

'Incredibly serious'

Vancouver-based tech writer and expert Graham Williams told On The Coast host Gloria Macarenko a breach as large as this one is "unprecedented" and "incredibly serious." 

Williams said there has always been concern over the preservation of privacy with a move to electronic medical records. He said these online systems are supposed to be the most robust, but adds it looks like the company was the victim of a cyber lock attack.

It's a type of attack where hackers gain access to a system and lock the owners of out it and then hold the information for ransom according to Williams. He said the hackers will usually sell the information and return access to the owner once the money is handed over. 

He suggested people monitor their credit record to make sure they are not the victims of identity fraud.

"You need to turn an eye to to make sure that you're keeping things secure," said Williams.

How can you protect yourself?

Williams said there are a few things people can do if they find out their information was compromised. LifeLabs is offering cyber security protection services to its customers, such as identity theft and fraud protection insurance. He said people should take advantage of that offer to protect their information.

He also suggested other security programs like Norton or using the iCloud Keychain system through Mac products. 

Brown said LifeLabs has put together a package of benefits to let people get online protection for identity theft and fraud protection. The company is offering one year protection to any customer concerned about the breach, including dark web monitoring and identify theft insurance.

Residents of the Yukon who travel to B.C. to access health-care services could also be impacted by the breach.

LifeLabs is Canada's largest provider of general diagnostic and specialty laboratory testing services. The company has set up a dedicated call centre for customers to learn more about protections available.

The number is 1-888-918-0467.

With files from Bridgette Watson