1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

6/27/2020

0 Comments

Ontario and BC Privacy Commissioners Find LifeLabs Failed to Protect Personal Health Information of Millions of Canadians

 
LifeLabs Failed to Protect Personal Health Information

Ontario and BC Privacy Commissioners Find LifeLabs Failed to Protect Personal Health Information of Millions of Canadians

A joint investigation by the Information and Privacy Commissioners of Ontario and British Columbia (BC) has found that Canadian laboratory testing company LifeLabs failed to protect the personal health information of millions of Canadians resulting in a data breach in 2019.

In a statement, the Information and Privacy Commissioners of Ontario and BC said the two offices found that LifeLabs failed to take reasonable steps to protect the personal health information in its electronic systems; failed to have adequate information technology security policies in place; and collected more personal health information than was reasonably necessary. LifeLabs is the largest provider of general health diagnostic and specialty laboratory testing services in Canada. It conducts over 100 million laboratory tests annually and supports 20 million patient visits annually. Its website is visited by more than 2.3 million Canadians to access their laboratory results each year.

According to the Information and Privacy Commissioners of Ontario and BC, on November 1, 2019, LifeLabs reported a cyberattack on their computer systems to the two offices. The cyberattack affected approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers, and laboratory test results. Affected customers were mostly from Ontario and British Columbia.

The two offices issued the following orders to LifeLabs: improve specific practices regarding information technology security; put in place written information practices and policies with respect to information technology security; and cease collecting specified information and to securely dispose of the records of that information which it has collected.

“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law," Brian Beamish, Information and Privacy Commissioner of Ontario, said in a statement. "This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks."

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” Michael McEvoy, Information and Privacy Commissioner of British Columbia, said in a statement. “The orders made are aimed at making sure this doesn’t happen again. This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”

Last March 25, the Ontario government amended its health privacy law, making it the first province in Canada to give the Information and Privacy Commissioner the authority to levy monetary penalties against those who violate Ontario's Personal Health Information Protection Act (PHIPA).

According to the Ontario and B.C. privacy commissioners, to date, they still can't release the full report of their findings as LifeLabs asserted that the information that it provided to the commissioners is privileged or otherwise confidential. The privacy commissioners said they intend to publish the full report unless Lifelabs takes court action.

LifeLabs, for its part, said it's reviewing the report’s findings of the Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner of British Columbia. "We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon," LifeLabs said.

According to LifeLabs, one of the changes made as a result of the cyberattack on its IT systems is the appointed of a Chief Information Security Officer (CISO), Chief Privacy Officer and Chief Information Officer. The company added that it has enhanced and accelerated its Information Security Management program with an initial $50 million investment to achieve ISO 27001 certification – a gold standard in information security management.

Stealing of Data and Ransom Demand

According to the Information and Privacy Commissioners of Ontario and BC, LifeLabs told the two offices in November 2019 that the cyberattacker or cyberattackers on LifeLabs penetrated the company’s systems, extracted data and demanded a "ransom".

In December 2019, Charles Brown, LifeLabs' president and CEO, in a statement, admitted to "retrieving the data by making a payment". "We did this [paying the ransom] in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals...."

To date, based on the statements of the Information and Privacy Commissioners of Ontario and BC as well as LifeLabs, there’s no mention of the word "ransomware". Due to this lack of information, the cyberattack on LifeLabs may or may not be a ransomware attack.

What is clear though is that the cyberattack on LifeLabs involved stealing of data, ransom demand, and in this case, a ransom payment. There are currently over a dozen ransomware groups that openly admit that they don't merely demand ransom to decrypt (unlock) encrypted (lock) files, but they also steal data and leverage this stolen data in case the ransomware victim refuses to pay ransom for the purpose of decryption.

Several months ago, the ransomware called "Maze" started the trend of naming and shaming ransomware victims that refuse to pay ransom for the purpose of decrypting the encrypted files. The group behind the Maze ransomware created a website that names ransomware victims that refuse to pay ransom and further threatens victims that continued refusal to pay ransom will result in the publication of the data stolen prior to the data encryption.

The group behind the ransomware called "REvil", also known by the name "Sodinokibi", recently created an e-bay-like auction site, auctioning the files of ransomware victims that continued to refuse to pay ransom. The REvil ransomware group auctioned the stolen files of a Canadian agricultural production company, one of its ramsomware victims that continue to refuse to pay ransom. The group offered 3 databases and 22,000 files stolen from the agricultural company to the successful bidder.

No organization is immune. Dealing with cyberattack and its consequences is not a matter of IF but a matter of WHEN. Get a head start by identifying and mitigate key IT risks today. Schedule a free assessment today or call 1.888.900.DRIZ (3749)

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit