Data breach exposes personal information of 15 million Canadians

BC, Ontario privacy commissioners are investigating incident which targeted LifeLabs data

Data breach exposes personal information of 15 million Canadians
Steve Randall

A Canadian health testing firm has been hit by a cyberattack which has allowed hackers to access information relating to 15 million customers

LifeLabs says that on Nov. 1, 2019, its servers were subjected to unauthorized access to information that could include “name, address, email, login, passwords, date of birth, health card number and lab test results.”

LifeLabs president and CEO Charles Brown posted on the firm’s website that he is personally sorry that this has happened and stated that cybersecurity experts have advised that the risk to customers is low and monitoring has not detected that any of the data has appeared online.

Although financial data does not appear to be included in the breach, the personal information that has been accessed could potentially be used for fraudulent purposes.

Most of the customers affected are in British Columbia and Ontario.

The firm says that it paid a ransom to hackers after consultation with cyber-security experts in order to retrieve the hacked data.

It has taken several measures in the wake of the attack including:

  • Immediately engaging with world-class cyber security experts to isolate and secure the affected systems and determine the scope of the breach;
  • Further strengthening our systems to deter future incidents;
  • Engaging with law enforcement, who are currently investigating the matter; and
  • Offering cyber security protection services to our customers, such as identity theft and fraud protection insurance.

Investigations underway

The privacy commissioners of BC and Ontario have started a joint investigation into the incident.

“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” says Brian Beamish, Information and Privacy Commissioner of Ontario. “Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and healthcare organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”

The IPC and OIPC are reaching out to the information and privacy commissioners of other jurisdictions with affected customers.

"I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected," says Michael McEvoy, Information, and Privacy Commissioner for BC. "Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete."

LifeLabs has set up a dedicated phone line and information on their website for individuals affected by the breach. To find out more, the public should visit or contact LifeLabs at 1-888-918-0467.