LifeLabs pays ransom after cyberattack exposes information of 15 million customers in B.C. and Ontario

The Canadian laboratory testing company LifeLabs says it made a payment to criminals to retrievethe sensitive information of millions of customers after a cyberattackon its computer systems.

In a letter to customers, LifeLabspresident Charles Brown wrote that information related to about 15 million customers, mainly in B.C. and Ontario, may have been accessed during the breach.

The company says it paid the ransom, "in collaboration withexperts familiar with cyberattacks and negotiations with cyber criminals."

The letter does not indicate where the attack originated or who was responsible.

On Tuesday afternoon, B.C. Health Minister Adrian Dix said the province was first informed of the breach on Oct. 28. On Nov. 7, it was confirmed that British Columbians' private information was involved.

When asked why it took more than five weeks after that to inform the public, Dix said there was some concern about secondary attacks.

"Naturally, all of us would have wanted immediately for people to be informed, as quickly as possible," Dix told reporters.

"The only reason there was a delay was to ensure that information that hadn't been compromised wouldn't be compromised, and that information that could be protected would be protected."

He said LifeLabs is responsible for about 34 per cent of laboratory testsin B.C.

The Office of the Information and Privacy Commissioner of Ontarioand the Office of the Information and Privacy Commissioner for British Columbia confirmed in separate statements on Tuesday that they are both investigating the incident.

Logins, passwords affected

The laboratoryreported the cyberattack to the two provincial privacy officeson Nov. 1.

According to Brown's letter, customers' names, addresses, birthdates, email addresses, customer logins and passwords, health card numbers and lab test results were affected by the breach. But Brown said cybersecurityexperts hired by LifeLabs have not seen any public disclosure of customer data, even on the dark web.

This isn't the first incident involvingLifeLabscomputer systems. In January 2013, the medical information of thousands of patients in Kamloops, B.C., went missing.

It wasn't until June that yearthat the company admittedit had lost track of a computer hard drive, whichheld the information of more than 16,000 patients.

The hard drive held the results of electrocardiogramsgathered at threefacilities between 2007 and 2013.

LifeLabs said privacy commissionersare alreadyinvestigating the latest cyberattack, and while the companyhas taken steps over the years to strengthen its cyber defences,it will provide one free year of identity theft insurance, includingdark web monitoring.

LifeLabs is Canada's largest provider of general diagnostic and specialty laboratory testing services.

"We've seen this happen with a number of hospitals around the world," said technology expert Graham Williams.

Williams says depending on the information that was stolen thatabig concern arising out of the cyberattack could be that medical data could not only be used for identity theft or medical fraud but also blackmail.