Skip to content

Lessons Learned: LifeLabs Data Breach Case Study

This is the third blog post of our blog series on the topic of Lessons Learned. In our first article, we had a look at the BlackRock data breach and in our second article, we shed light on Earl Enterprises Data Breach. This blog post is intended to assist health care practices in reevaluating their existent health information security policies.


What did happen?

In November of 2019, LifeLabs notified the Office of the Information and Privacy Commissioner of Ontario of a potential cyber attack on their computer systems. A month later, the organization publicly confirmed that they were the subject of a cyber attack on their systems.

LifeLabs is a Canadian-owned company that has been serving the healthcare needs of Canadians for nearly five decades. It has 16 laboratories and over 5700 professionally trained staff members. Almost half of Canada’s total population has had some sort of testing carried out by the company as part of their routine health care.

As a matter of fact, the breach in question is known to be the largest to date in Canada and the first to include sensitive health data gathered by a major laboratory. A joint investigation executed by information and privacy commissioners in both British Columbia and Ontario has since discovered the company failed to allocate adequate safeguard activities and technology security policies to protect that personal information and also accumulated more personal health data than was necessary.

Since the incident, LifeLabs employed a third-party professional services firm to assess its cyberattack response and efficiency of its security program, as it continues to engage external cyber security teams to surveil the dark web and other online information regarding the data breach.


What was the result?

The personal information of about 15 million Canadians was extracted by cybercriminals, mainly residents of British Columbia and Ontario. This information included names, addresses, emails, date of birth, national health card numbers from 2016, and earlier. Customer login IDs and passwords appear to have also been exfiltrated in the breach.

In the public statement, LifeLabs stated that they made some sort of payment to regain the stolen information. The company did not reveal detailed information on the nature of the attack, so it lived Canadians doubtful about the current level of risk to their personal information.

There were three proposed class-action lawsuits in response to the LifeLabs data breach. The largest of these was seeking 1.13 billion US dollars in damages plus an added 10 million US dollars in punitive penalties. The suit described here claimed that the LifeLabs data breach was a result of a failure of sufficient cyber security safety controls, hence the company infringed its own privacy policy in allowing it to occur.


Key takeaways for your businesses

There are a number of characteristics that make the healthcare industry an ideal target for cybercriminals. For example, crippling IT systems is relatively easier than in other leading sectors because of insufficient investment in IT security within the healthcare sector.

On the other hand, healthcare is known as the industry where employees are the predominant threat actors in data breaches. What we see is that healthcare organizations find themselves under cyber attacks from numerous vectors, including ransomware, malware, or targeted attacks.

Organizations responsible for collecting and storing sensitive information, like healthcare records, should have heightened security protocols in place to protect the information, and to minimize the risk of having it compromised by intruders. Cyber attacks impair the ability of a healthcare provider to function properly.

The first takeaway is to create a security culture in the first place. In other words, it is important to establish a security-minded educational culture that makes good practices become automatic. That should be followed by conducting information security education on an ongoing basis. The second takeaway would be planning for the unexpected. Life does not always follow a script so get ready for what is coming next. Planning for the unexpected include creating regular and reliable data backups, protecting backup media with access controls, and testing backup media regularly for the ability to appropriately restore data. Last but not least, have a sound recovery plan: know what data was backed up, when the backup was done, and where backups are stored.


Looking for more insights like this?

Data breaches are unfortunately prevalent in every industry. Organizations must build a strong security management program and educate their workforce. We kindly invite you to check our Cyber Security Specialist training with Swiss Federal Diploma. For more information, download the brochure.