VANCOUVER — Medical test provider LifeLabs says it paid a ransom to retrieve stolen data, after the personal information of 15 million customers was breached in a cyberattack on the company’s computer systems.

The medical testing company said in a statement on Tuesday that cyber criminals may have accessed the personal information of over 15 million customers, mostly in B.C. and Ontario, including “name, address, email, login, passwords, date of birth, health card number and lab test results” in late October.

The data breaches involving medical test results affected 85,000 customers from 2016 or earlier located in Ontario. LifeLabs said they will be notifying these individuals directly.

LifeLabs is Canada’s largest provider of diagnostic testing services, such as blood tests, genetic tests, heart monitoring and more.

“I’m sorry this happened and we’ll do everything we can to win back the confidence of our customers,” LifeLabs chief executive Charles Brown told The Canadian Press.

He called the incursion a sophisticated attack that is a wake-up call for the industry.

“Whether you’re a private company, a government, a hospital, we’re all seeing these attacks rise and there’s more and more of them and we’ve collectively got to do more to make sure all our customers feel secure.”

The Toronto-based company declined to say how much money was paid to secure the data, but that it was done “in collaboration with experts familiar with cyberattacks and negotiations with cyber criminals.”

Brown said it was a hard decision to pay the ransom but he believed customers would want it to do everything possible to retrieve their data.

“We wanted to get the data back,” he said. “We thought it was the smart thing to do because it was just in the best interests of our customers.”

Paying ransom is a fairly common business decision that can have some negative consequences, said David Masson, director of enterprise security for cybersecurity firm Darktrace.

“If you pay you’re telling the threat actors that you will pay; you’re quite likely to get hacked again or they’ll tell other threat actors that these people pay. So you could put yourself in a whole world of pain,” he said in an interview.

It also implies that the company has no other option to get the data back and doesn’t guarantee that all will be returned.

Masson also believes the data never left the LifeLabs system.

While customers will be concerned that their medical test results could be released, the real risk is the unauthorized use of identifiable information that can be used to open a bank account, get a credit card, obtain a loan or buy a vehicle, he added.

“That’s why this kind of data is so valuable on the dark web, because they can use your identification to obtain financial gain from your identity and that’s the real issue around stealing this kind of information.”

Loading... Loading... Loading... Loading... Loading... Loading...

LifeLabs said there is no evidence that results were accessed in other provinces aside from Ontario, and that they have been advised by cyber security firms that the risk to customers is low and it has not seen any public disclosure of customer data as part of its investigations.

The company has confirmed that the issue has now been contained and they have taken steps to strengthen their cyber defences.

On Tuesday, Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) announced that they were jointly investigating the attack.

The office of the two privacy commissioners will look into what circumstances lead to the breach, the scope of the attack, an how the company may have prevented it, if possible.

“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” said Brian Beamish, information and privacy commissioner of Ontario, in a statement.

In a statement Tuesday evening, law firm Charney Lawyers PC said it had filed a proposed class-action lawsuit in a Toronto court on behalf of a plaintiff who underwent blood and urine tests at the LifeLab locations in the Brantford, Ont. area.

Such cases have been growing in number in recent years.

In Quebec Superior Court, two class-action lawsuits have been initiated as a result of a breach at Desjardins Group, a Quebec-based financial co-operative.

Desjardins originally announced in June that personal information of more than 2.9 million members had been shared outside the organization, later upgraded to 4.2 million members.

The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.

In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline’s mobile app.

In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.

With files from The Canadian Press.

Read more about: