Update to Our Customers: Protecting Your Information

June 10, 2020



To our customers,

It’s been just over six months since we announced that we had been victim of a cyber-attack involving unauthorized access to our computer systems. I want to thank you for your continued support and patience. You entrust us with important information and we take that responsibility very seriously.

Back in December, I made a commitment to you. I promised you that we would learn and work hard to earn back your trust. I cannot change what happened, but I assure you that I have made every effort toward making change to provide you services you can trust. Here are just some of those changes that our team and I have made to best protect your information by strengthening our information security program:

We have appointed a Chief Information Security Officer (CISO), who together with an expanded team, is leading our program of information security improvements;

We have welcomed two new leaders to the LifeLabs team in the roles of Chief Privacy Officer and Chief Information Officer. Both leaders bring substantial experience in cybersecurity and privacy protections, strengthening our practices across the organization;

We have enhanced and accelerated our Information Security Management program through an initial $50 million investment, backing our plan to achieve ISO 27001 certification- a gold standard in information security management that is achieved by only a small number of organizations;

We have engaged an independent third-party professional services firm to objectively evaluate the response to the cyber-attack, efficacy of our security programs and capabilities, and make recommendations for further process enhancements;

We continue to deploy cyber security firms to monitor the dark web and other online locations for information related to the cyber-attack. To date, no public disclosure of customer data from the attack has been identified.

We established an Information Security Council with internal and external cyber security experts who will regularly report to me and the Board of Directors on information security practices and protocols;

We have implemented strengthened cybercrime detection technology across the organization;

Our teams organization-wide will participate in annual security and privacy awareness and training programs.

Please note that we continue to offer any customer one free year of cyber protection services including dark web monitoring and identity theft insurance; registration for these services are available until the end of 2020 and can be accessed by calling 1-888-221-2082.

2019’s cyber-attack is a strong reminder that we must continuously work to protect ourselves against cybercrime. Data protection and privacy are now central to everything we do. In fact, through our partnership with experts, the healthcare sector, governments and IT companies, LifeLabs is making a commitment to become a global leader in protecting healthcare data.

We have an excellent healthcare system in Canada but If COVID-19 has taught us anything, it’s that we need to keep innovating. Electronic records are an important part of delivering great service to you, now more so than ever. We will not let cybercrime hold us back in efforts to enhance virtual and accessible health care for you and all our customers. We will continue to drive collaboration across private and public sectors to deter cybercriminals and strengthen the system, to protect and serve you as best as possible.

Once again, I would like to thank you for your continued support and patience as we have worked through this difficult time in recent months. We will continue to be vigilant in protecting your information and rebuilding your trust.

Please be safe, and be well.

Yours sincerely,

Charles Brown



President and CEO

LifeLabs

An Open Letter to LifeLabs Customers

December 17, 2019

Updated January 9, 2020



To our customers: Through proactive surveillance, LifeLabs recently identified a cyber-attack that involved unauthorized access to our computer systems with customer information that could include name, address, email, logins, passwords, date of birth, health card numbers, gender, phone numbers, password security questions and lab test results. Personally, I want to say I am sorry that this happened. As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously.

We have taken several measures to protect our customer information including:

Immediately engaging with world-class cyber security experts to isolate and secure the affected systems and determine the scope of the breach;

Further strengthening our systems to deter future incidents;

Retrieving the data by making a payment. We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals;

Engaging with law enforcement, who are currently investigating the matter; and

Offering cyber security protection services to our customers, such as identity theft and fraud protection insurance.

I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.

We have fixed the system issues related to the criminal activity and worked around the clock to put in place additional safeguards to protect your information. In the interest of transparency and as required by privacy regulations, we are making this announcement to notify all customers. There is information relating to approximately 15 million customers on the computer systems that were potentially accessed in this breach. The vast majority of these customers are in B.C. and Ontario, with relatively few customers in other locations. In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly. Our investigation to date indicates any instance of health card information was from 2016 or earlier.

While you are entitled to file a complaint with the privacy commissioners, we have already notified them of this breach and they are investigating the matter. We have also notified our government partners.

While we’ve been taking steps over the last several years to strengthen our cyber defenses, this has served as a reminder that we need to stay ahead of cybercrime which has become a pervasive issue around the world in all sectors.

Any customer who is concerned about this incident can receive one free year of protection that includes dark web monitoring and identity theft insurance.

Yours sincerely,

Charles Brown

President and CEO

LifeLabs