TORONTO -- Hackers may have obtained the personal data of 15 million LifeLabs customers after a systems breach, and this includes addresses, passwords, birthdays, health card numbers and even lab results.

LifeLabs, one of the largest private providers of health diagnostic testing, said in an open letter to its customers that the firm had become aware of a recent hack to its computer systems which contained customer information, names and logins.

It didn’t specify exactly who had hacked the system but LifeLabs alerted the Ontario and B.C. privacy commissioners of the hack on Nov. 1. LifeLabs also said it paid ransom to secure the data.

LifeLabs’ letter also said the majority of these customers were in Ontario and British Columbia, with "relatively few customers" in other locations. LifeLabs President and CEO Charles Brown told CTV News approximately 10 million affected were in Ontario, with five million in B.C.

When it came to lab results, LifeLabs said the hack affected 85,000 of its Ontario customers from 2016 or earlier.

“Our investigation to date indicates any instance of health card information was from 2016 or earlier,” the letter added.

The firm discovered the cyberattack in late October and Brown has since personally apologized for the hack.

“I’d like to say to our customers that we’re sorry. We realize this may have shaken their confidence and we’ll do everything we can to win it back,” he told CTV News. “We know that health data is important and we do take that responsibility quite seriously.”

We recently identified a cyber-attack that involved unauthorized access to our computer systems. We are sorry that this incident happened. The data has been retrieved, and a law enforcement investigation is underway. For more info, visit https://t.co/gUYdHeR0Kh. — LifeLabs (@LifeLabs) December 17, 2019

As of Wednesday, two dedicated phone lines -- 1-800-431-7206 (British Columbia) and 1-877-849-3637 (Ontario) -- have been set up for people who want to inquire about further information. In a statement, the firm said there will be extended call centre hours. People can call weekdays between 8 a.m. and 11 p.m., and weekends between 8 a.m. and 8 p.m.



LIFELABS CAN'T GUARANTEE DATA WASN’T COPIED

In the letter, Brown said that the risk to customers from the data breach was low. He also said cybersecurity firms told them they hadn’t seen a public disclosure of the customer data online, including on the dark web or other online locations.

Following the advice of cybersecurity experts, he said they retrieved “the data by making a payment,” Brown said. He later explained his thinking behind that decision.

“Our desire was to try to get this data and keep it as secure as we could and not have it exposed,” he told CTV News.

But LifeLabs couldn’t guarantee that the hackers were unable to save a copy of the data. The firm has also been in touch with law enforcement, its government partners and notified privacy commissioners.

According to a joint statement from the Information and Privacy Commissioner for British Columbia and the Information and Privacy Commissioner of Ontario, LifeLabs had reported the hack to them on Nov. 1 and said that the hackers had been demanding a ransom.

Cybersecurity expert Brian O’Higgins told CTV News Channel customers “may have dodged a bullet” since the hackers were likely more interested in obtaining money in exchange for people’s personal data rather than caring about the lab results.

But the fact the hackers have any personal information at all could lead to identity theft and “that could lead to a world of hurt.”

The privacy commissioners’ co-ordinated investigation will examine the extent of the breach, what led up to it and what – if anything -- could have been done to prevent it.

“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” Information and Privacy Commissioner of Ontario Brian Beamish said in the statement.

Information, and Privacy Commissioner for B.C. Michael McEvoy added, “our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”



LIFELABS HAS TO DO BETTER: FMR. PRIVACY OFFICIAL

Former Information and Privacy Commissioner of Ontario Ann Cavoukian told CTV News Channel the hack is “very damaging.”

Despite LifeLabs saying it paid the ransom, there are no guarantees the data won’t show up elsewhere. Cavoukian said it’s “virtually impossible to control in terms of getting it back and you don’t know where it might appear.”

She said once customers give up their personal data to third parties, they’re at their mercy. That’s why she chastised Lifelabs for not having strong enough security to prevent the data from being stolen.

“I say that data at rest (such as the health card numbers and addresses) should be strongly encrypted so it doesn’t serve as a magnet for the bad guys,” Cavoukian said. “You don’t want to be an easy target. And that’s what’s so appalling. LifeLabs should have had the strongest security measures in place already.”

She said the bulk “of responsibility of the protection of this data is with LifeLabs.” Going forward, LifeLabs CEO pledged the company will strengthen its system to deter future hacks.

LifeLabs said it is offering “any customer who is concerned about this incident” a free year of protection including dark web monitoring and identity theft insurance from American consumer credit reporting agency TransUnion.

But Cavoukian argued that it’s also on the consumer to contact LifeLabs directly to ask if their data has been compromised. She also predicted there could be class-action lawsuits following the breach.



GROWING CONCERN OVER CYBERATTACKS

The menace of cyberattacks is a growing concern among private citizens, companies and governments.

Last month, cybersecurity firm McAfee said that 33 per cent of Canadians have lost $500 or more in online scams this year. And it warned that that number is only expected to rise during the holiday shopping season.

In the past year alone, there’s also been a handful of actual or potential data breaches including at companies such as Desjardins, Disney Plus, Capital One, Freedom Mobile, DoorDash; as well as government healthcare systems, and even at TransUnion Canada.

A recent survey of Canadian companies found that nearly 90 per cent said they had experienced a breach in the past year. O’Higgins, who’s spent the past 30 years in security technology development, said all firms are now facing a new reality.

“Corporations now routinely have cyber risk insurance and when there is an issue the insurer comes in and helps them pay,” he said.

With a file from CTVNews.ca producer Adam Ward