An October hack of medical testing company LifeLabs exposed the sensitive personal information of an estimated 15 million Canadians. The LifeLabs data breach was the largest yet in Canada in terms of personal record count, and the company may end up paying dearly for its security lapse. A civil lawsuit that was just introduced in Toronto is seeking a total of $1.14 billion dollars in damages.

The LifeLabs data breach

Though the company was hacked in October, the public did not become aware of the LifeLabs data breach until December 17 when the company posted an open letter on its website.

The company revealed that it was breached by some sort of cyber attack that targeted customer information. LifeLabs is the largest provider of medical lab diagnostic services in Canada, and almost half of Canada’s total population has had some sort of testing done by the company as part of their normal health care.

Mike Jordan, VP of Research for The Shared Assessments Program, suggested that the reach of this breach may be an indication that new legislation is needed in the country for the protection of patient data:

“Companies find themselves in a difficult situation. It’s well known that it’s only a matter of time until any given company gets hacked. However, when breaches happen in the scale like this, it demands investigation to determine whether the company took reasonable precautions.

“15 million Canadians affected is over 40% of all Canadians. If an organization can carry this amount of sensitive data, perhaps regulatory organizations should consider these organizations in a special category that requires additional oversight and outside assistance.”

The LifeLabs data breach included lab test results and national health card numbers along with personally identifiable information including names, dates of birth, home addresses and email addresses. Login IDs and passwords appear to have also been compromised in the breach.

The lab test results apparently come from records collected in 2016 and earlier, and the majority of these (an estimated 85,000 customers) come from Ontario and British Columbia. The company stated that there were “relatively few” compromised tests from other territories.

In the public statement, LifeLabs indicated that they made some sort of a payment to retrieve the stolen data. The company did not elaborate on the nature of the attack, which leaves Canadian customers uncertain about the current level of risk to their personal information. Some news outlets reported on it as if it was a ransomware attack, but there is no clear indication. This might be a similar situation to the 2017 incident in which Uber decided to pay a ransom to retrieve stolen data and have hackers sign non-disclosure agreements. If the data was exfiltrated, there is no guarantee that paying a ransom to retrieve it took it out of unauthorized hands; there is really no way for LifeLabs to be entirely sure that copies were not made.

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, expanded on this idea:

“This kind of breach has become rather commonplace, unfortunately. Your information does not need to be leaked multiple times – one leak is enough for your personal information to be forever compromised. So it’s hard to understand the motive behind companies that pay a ransom to prevent online leakage, as there is absolutely no guarantee the perpetrators will abide by their word to not resell information on the dark web. By paying them, companies are only financing their future operations and sending a signal to other groups that this kind of activity pays off. Given there was no imminent risk of loss of life or major disruption of a public service, the payment was ill-advised.”

LifeLabs merely characterized the risk to the public as “low” and indicated that they had involved law enforcement and third-party cyber security firms. The company also claims that the issue that led to the breach has been fixed.

The class action lawsuit

There are currently three proposed class action lawsuits in response to the LifeLabs data breach. The largest of these is seeking $1.13 billion in damages plus an added $10 million in punitive penalties. If the courts opt to allow such a lawsuit, they will have to evaluate each suit on its individual merits before deciding to certify any.

The suit described here asserts that the LifeLabs data breach was caused by a failure of adequate cyber security safety measures and controls, and that the company violated its own privacy policy in allowing it to happen.

The lawsuit filing hints at some additional details about the breach. It alleges that the data in question was stored on unsecured servers, and that it was not encrypted. It also alleges that the network security personnel responsible for securing the data were not properly trained and that there was not an adequate amount of staff.

Additional trouble for LifeLabs?

The parties impacted by the LifeLabs data breach have been offered a year of free TransUnion credit monitoring and identity theft protection service by the company, but a recent report from CTV News indicates that a new problem may be brewing.

Customers say that the call number set up for them to arrange credit monitoring goes to a call center in India, where they are asked for their Social Insurance Number to confirm their identity. This number is used for various forms of national identification and was not necessarily included in the breached data.

Some Canadian customers are hesitant to trust TransUnion as the company was recently involved in its own data breach. A cyber break-in in October led to the theft of the personal information of 37,000 Canadian customers.

Security issues at Canadian hospitals

The LifeLabs data breach comes in the midst of general concern about the Canadian health care system’s ability to protect patient data. 2019 saw the Ryuk malware devastate three hospitals in Ontario, the theft of an unencrypted hard drive full of patient data and unauthorized employee access of thousands of records in Alberta, and the phishing of the Nova Scotia Health Authority resulting in 3,000 compromised records.

Canadians have valid reason to be concerned about the ability of their country’s medical facilities to properly secure themselves, given that cybersecurity budgets are often thin. However, there are steps that organizations can (and must) take regardless of budget.

As James McQuiggan, Security Awareness Advocate for KnowBe4, pointed out:

“Organizations responsible for collecting and maintaining sensitive information, like healthcare records, need to have elevated security protocols to protect the information to reduce the risk of having it stolen by criminals. While there’s no shortage of data protection tools like encryption, MFA, defense in depth, these should be strongly considered when protecting the sensitive and important data within an organization.

“If the organization is unable to implement these controls due to budgetary issues, there should be a strong awareness training program for the employees to recognize the common attacks. Until healthcare organizations consider cyberattacks on the same level as fighting germs, breaches will continue to occur.

“Consumers will want to monitor their accounts and be vigilant of spear phishing emails. Criminals in possession of the stolen data will create emails to trick them to reset their passwords through a malicious website and mention that their DNA information has been compromised.”

And Raphael Reich, VP of Marketing for CyCognito, observed some relevant areas of focus:

“Organizations reacting to a breach, or working hard to prevent one, would be served well by undertaking a thorough examination of their attack surface to discover the sorts of un- or under-protected Internet-facing entryways into the organization that typically go undetected by IT and security teams, yet are easily discovered by attackers.

Public was not made aware of LifeLabs #databreach in October until the company posted an open letter on its website in December. #respectdata Click to Tweet

“These conduits into the organization are blind spots for IT and security teams because the assets may not be managed by, even known to, these teams. IT assets such as cloud-based servers, DevOps platforms, and partner networks that connect to an organization, but are outside their full control, are all examples. These “shadow risks” offer an open and tempting pathway to an attacker. That is why it’s imperative for organizations to map their attack surface, expose that shadow risk, and eliminate any critical attack vectors before attackers leverage them.”