Lab-test provider LifeLabs says the personal information — possibly including health card numbers — of an unknown number of the company’s 15 million Canadian customers was stolen in a data breach in late October.
The test results from 85,000 Ontarians were also stolen. The company says it took measures to secure the data, including “retrieving the data by making a payment.”
The compromised test results were from 2016 and earlier, and LifeLabs said it will contact affected customers directly. There is no evidence that results were accessed in provinces other than Ontario.
The company said that the breached database also included names, email addresses, logins, passwords and dates of births.
LifeLabs is Canada’s largest provider of lab tests for diagnostic purposes. The majority of its operations are in Ontario and B.C., where it is headquartered.
The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia are now investigating the cyberattack on the computer system. The breach was reported to the offices on Nov. 1.
“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” Brian Beamish, Ontario’s privacy commissioner, said in a press release Tuesday.
The Office of the Privacy Commissioner of Canada said that they have not received a breach notification report from the company, but will be following up to determine whether Canada’s federal private sector privacy law would apply to the breach.
In a letter to customers, president and CEO Charles Brown apologized for the security breach.
“I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations,” he said.
Brown added that system issues related to the breach have been fixed, and Tuesday’s announcement is “in the interest of transparency.”
He also said a customer who is concerned about the safety of their data will be able to receive “one free year of protection that includes dark web monitoring and identity theft insurance” at the LifeLabs website.
The incident is only the latest data breach to affect Canadian consumers.
The Desjardins Group revealed in December that a data breach in June hit 4.2 million members, all of its clients.
The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.
In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline’s mobile app.
In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.
— With files from The Canadian Press