Backgrounder on LifeLabs Privacy Breach December 17 2019 Information and Privacy Commissioner of Ontario
pInformation and Privacy Commissioner of OntarioppBackgrounder on LifeLabs Privacy Breach December 17 2019pp LifeLabs Privacy BreachppDecember 17 2019pp
Backgrounderpp
ppWhen were you notified of the breach
ppOn November 1 LifeLabs notified both the Office of the Information and Privacy Commissioner of Ontario and the Information and Privacy Commissioner for British Columbia that through their cybersecurity monitoring systems they had detected a potential breach LifeLabs has since confirmed they were the subject of a cyberattack on their computer systems They advised us that cyber criminals penetrated the companys systems extracting data and demanding a ransom LifeLabs paid the ransom to secure the data
ppHow many people were affected
ppLifeLabs is still investigating the number of people who were affected but we understand this is a largescale breach of systems containing information of an estimated 15 million people
ppLifeLabs has advised that the vast majority of their customers are in BC and Ontario with very few customers in other locations and that if customers have visited LifeLabs for a test or received a test or service from LifeLabs Genetics and Rocky Mountain Analytical their information is likely in their database
ppWhat kind of information was affected
ppLifeLabs has informed us that the information in the systems includes names addresses emails customer logins and passwords date of birth health card numbers and for some customers lab tests
ppWhat role are the privacy commissioners playing
ppThe Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC are investigating this incident As part of this investigation we are working to assess
ppWhen will the investigation be complete
ppWe are hoping to complete the investigation as soon as possible However each case is unique and the timing subject to the specific context We also want to ensure that our investigation is thorough and canvasses all of the issues that concern the public
ppOur findings and recommendations will be made public when the investigation is complete
ppWhat can organizations do to protect themselves from cyberattacks
ppVarious strategies for defending against and responding to a cyberattack include
ppDepending on the size and scope of the organization they may want to hire a third party security consultant to assist in making sure data systems are secure and protected
ppUnfortunately these kind of attacks and the bad actors who perpetrate them are becoming increasingly sophisticated
ppEven if an organization does everything right there is no guarantee that they will not fall victim to a cyberattack
ppIts important to be vigilant and continuously examine cybersecurity systems including staff training and other technical and administrative measures
ppThere is guidance available for organizations that outline steps to protect personal data from cyberattack and how to respond to a privacy breach They include
ppWhat can someone do if they are affected by the breach
ppWe recognize that a breach of sensitive personal information can cause distress for those who are affected
ppLifeLabs has indicated that any individual concerned about the incident can receive free protection that includes web monitoring and identity theft insurance Customers should visit wwwcustomernoticelifelabscom or call 18889180467
ppPeople affected by the breach are not required to file individual complaints with our office Our investigation is already underway and we will release our findings and recommendations once it is completed We will be working to address the interests of everyone affected by this breach
pp
ppMedia contacts
ppOffice of the Information and Privacy Commissioner of Ontario
Jason Papadimos
email
4163263965
ppOffice of the Information and Privacy Commissioner for British Columbia
Jane Zatylny
jemail
2504153283
pp
ppFor a quick response kindly email or phone us with details of your request such as media outlet topic and deadlineppEmail emailTelephone 4163263965ppContact UsppThe IPC maintains channels on Twitter YouTube and Linkedin in its efforts to communicate to Ontarians and others interested in privacy access and related issuesppOur Social Media PolicyppNoteppInformation and Privacy Commissioner of Ontariopp2 Bloor Street EastSuite 1400Toronto ONM4W 1A8ppToronto Area 4163263333Long distance 18003870073TDDTTY 4163257539 ppCopyright Information and Privacy Commissioner of Ontario All rights reservedp
Backgrounderpp
ppWhen were you notified of the breach
ppOn November 1 LifeLabs notified both the Office of the Information and Privacy Commissioner of Ontario and the Information and Privacy Commissioner for British Columbia that through their cybersecurity monitoring systems they had detected a potential breach LifeLabs has since confirmed they were the subject of a cyberattack on their computer systems They advised us that cyber criminals penetrated the companys systems extracting data and demanding a ransom LifeLabs paid the ransom to secure the data
ppHow many people were affected
ppLifeLabs is still investigating the number of people who were affected but we understand this is a largescale breach of systems containing information of an estimated 15 million people
ppLifeLabs has advised that the vast majority of their customers are in BC and Ontario with very few customers in other locations and that if customers have visited LifeLabs for a test or received a test or service from LifeLabs Genetics and Rocky Mountain Analytical their information is likely in their database
ppWhat kind of information was affected
ppLifeLabs has informed us that the information in the systems includes names addresses emails customer logins and passwords date of birth health card numbers and for some customers lab tests
ppWhat role are the privacy commissioners playing
ppThe Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC are investigating this incident As part of this investigation we are working to assess
ppWhen will the investigation be complete
ppWe are hoping to complete the investigation as soon as possible However each case is unique and the timing subject to the specific context We also want to ensure that our investigation is thorough and canvasses all of the issues that concern the public
ppOur findings and recommendations will be made public when the investigation is complete
ppWhat can organizations do to protect themselves from cyberattacks
ppVarious strategies for defending against and responding to a cyberattack include
ppDepending on the size and scope of the organization they may want to hire a third party security consultant to assist in making sure data systems are secure and protected
ppUnfortunately these kind of attacks and the bad actors who perpetrate them are becoming increasingly sophisticated
ppEven if an organization does everything right there is no guarantee that they will not fall victim to a cyberattack
ppIts important to be vigilant and continuously examine cybersecurity systems including staff training and other technical and administrative measures
ppThere is guidance available for organizations that outline steps to protect personal data from cyberattack and how to respond to a privacy breach They include
ppWhat can someone do if they are affected by the breach
ppWe recognize that a breach of sensitive personal information can cause distress for those who are affected
ppLifeLabs has indicated that any individual concerned about the incident can receive free protection that includes web monitoring and identity theft insurance Customers should visit wwwcustomernoticelifelabscom or call 18889180467
ppPeople affected by the breach are not required to file individual complaints with our office Our investigation is already underway and we will release our findings and recommendations once it is completed We will be working to address the interests of everyone affected by this breach
pp
ppMedia contacts
ppOffice of the Information and Privacy Commissioner of Ontario
Jason Papadimos
4163263965
ppOffice of the Information and Privacy Commissioner for British Columbia
Jane Zatylny
jemail
2504153283
pp
ppFor a quick response kindly email or phone us with details of your request such as media outlet topic and deadlineppEmail emailTelephone 4163263965ppContact UsppThe IPC maintains channels on Twitter YouTube and Linkedin in its efforts to communicate to Ontarians and others interested in privacy access and related issuesppOur Social Media PolicyppNoteppInformation and Privacy Commissioner of Ontariopp2 Bloor Street EastSuite 1400Toronto ONM4W 1A8ppToronto Area 4163263333Long distance 18003870073TDDTTY 4163257539 ppCopyright Information and Privacy Commissioner of Ontario All rights reservedp
