Steps you can take to avoid a similar fate
TLDR
In October 2019, LifeLabs, a leading Canadian diagnostic company, suffered a data breach impacting 15,000,000+ (15 million)*** residents across British Columbia, Ontario & Saskatchewan. This incident exposed personal health information, including sensitive data like names, health card numbers, and laboratory results. Investigations revealed inadequate cybersecurity measures, poor breach management, and non-compliance with privacy regulations. This should serve as a wakeup call to healthcare organizations with an urgent need to strengthen their cybersecurity practices. This article emphasizes lessons learned and actionable steps for healthcare providers to protect patient data and maintain trust.
Table Of Contents
- The Shocking LifeLabs Data Breach
- Read this Insightful Excerpt from the Investigation Report
- Why This Should Terrify All Healthcare Organizations
- Why Action Is Needed Now
- LifeLabs Loses Bid To Keep It Quiet
- Steps to Fortify Your Cybersecurity as a Healthcare Provider
- Steps taken by LifeLabs post the data breach
- Key Takeaways
- References
The Shocking LifeLabs Data Breach
Imagine the trust you place in your healthcare provider when sharing sensitive health details. Now, picture this trust shattered. In October 2019, a cyberattack targeted LifeLabs, one of Canada’s largest diagnostic companies. Hackers accessed the personal health information of nearly 15,000,000 residents, including test results and health card numbers.
The ripple effects were severe: patients were left vulnerable to identity theft, while LifeLabs struggled to provide clear answers. Worse, investigations revealed the company lacked robust cybersecurity protocols, and their response to the breach—delayed and disorganized—only deepened the crisis.
Read this Insightful Excerpt from the Investigation Report
From the ‘Office of the Saskatchewan Information & Privacy Commissioner
(INVESTIGATION REPORT 398-2019, 399-3019, 417-2019, 005-2020, 019-2019, 021-2020)
“[8] When LifeLabs originally reported the breach to my office in December, it estimated that 93,390 Saskatchewan residents were effected. In its response to the breach that it provided to my office at the end of January, LifeLabs reported that 95,855 Saskatchewan residents were affected by the breach and were “mainly” from the patient wait time system. On March 3, 2020, my office asked for more details about the information that was affected outside of the patient wait time system. It responded that the information outside of the patient wait time system was collected to provide lab testing services for Saskatchewan residents either travelling through British Columbia or Ontario or for services purchased privately from LifeLabs. It indicated that 241 individuals from Saskatchewan were affected by the breach outside of the patient wait time system.
[9] On May 27, 2020, at the end of my investigation, LifeLabs requested that my office “consider the new granular facts relating to” the affected systems. It had not previously provided information about these systems in a Saskatchewan context.
[10] LifeLabs indicated that the personal health information of 93,390 Saskatchewan residents affected by the cyberattack were related to its patient wait time system. The patient wait time system refers to the system where individuals can book appointments online. The data elements involved include name, email address, password and security questions and answers. Four months after providing its initial response to my office, LifeLabs indicated that telephone numbers, Internet Protocol addresses (IP addresses) and various information about login attempts were also affected by the breach. Prior to this, LifeLabs did not report all of the data elements in a clear manner in its response to my office.
[11] Additionally, LifeLabs initially indicated that the cyberattack also resulted in the unauthorized disclosure of names, sex, phone numbers, addresses, email addresses, birth dates, user identifications, passwords, security questions and answers, health card numbers, and results of laboratory testing of 241 Saskatchewan residents. As noted, LifeLabs reported that these individuals received services while in British Columbia or Ontario or received private services from LifeLabs.
[12] After May 27, 2020, LifeLabs again provided more specific information about data elements and systems affected. It indicated that one of the affected systems that related to services performed in Ontario contained no test orders or results for Saskatchewan residents. However, at this late stage in my investigation, LifeLabs reported that the demographic information of 15 Saskatchewan residents in this system was affected by the breach. This includes name, date of birth, “patient sex”, address and health card number. It did not provide specific information as to why it collected only demographic information of the 15 Saskatchewan residents in this system.
[13] On May 27, 2020, LifeLabs also noted that the information of 242 Saskatchewan residents that was stored in a system related to services provided in British Columbia was also affected by the breach. Data elements involved included name, date of birth, “patient sex”, address, telephone number, health provider name and health card number.
[14] The affected individuals used LifeLabs’ patient wait time system to arrange an appointment with LifeLabs so that LifeLabs could provide a health care service on behalf of the SHA. This included name, email address, telephone numbers, passwords and security questions and answers. This qualifies as registration information pursuant to subsection 2(q) of HIPA as they were collected for the purpose of registering individuals for the provision of health services. Further in Review Report 186-2019, Review Report LA-2013-003, my office has indicated that IP addresses can be considered personal information if it can be associated with an identifiable individual. In this case, it appears that the IP addresses and various other login information from the patient wait time system that was affected by the breach can also be considered registration information as it is part of the information collected by LifeLabs to register these affected individuals for health services that they provided on behalf of the SHA pursuant to subsection 2(q) of HIPA. [15] Similar data elements affected in the other systems, including names, email addresses, sex, telephone numbers, addresses, birthdates and health card numbers also qualify as registration information pursuant to 2(q) of HIPA. Therefore, these elements qualify as personal health information pursuant to subsection 2(m)(v) of HIPA.
[16] Lab results are information with respect to the physical health of an individual and information with respect to a health service provided to an individual. As such, it qualifies as personal health information pursuant to subsections 2(m)(i), (ii) and (iii) of HIPA. However, at the end of my investigation, LifeLabs indicated that the lab results affected in this breach did not relate to Saskatchewan residents, contrary to what had been reported to my office earlier.”
Why This Should Terrify All Healthcare Organizations
If it could happen to LifeLabs, it could happen to you. Healthcare providers are prime targets for cybercriminals, dealing with treasure troves of valuable personal health information.
Small and medium-sized practices often believe they are too small to be targeted. But this “not us” mindset is dangerous. Cyberattacks on healthcare systems can:
- Compromise patient trust.
- Lead to costly legal penalties for failing to protect data.
- Result in operational downtime, disrupting care delivery.
And the problem isn’t going away. Cyberthreats like ransomware attacks and phishing schemes are growing, especially in healthcare.
LifeLabs’ wake-up call highlights systemic issues:
- Poorly maintained systems.
- Lack of routine cybersecurity audits.
- Limited transparency in breach management.
Why Action Is Needed Now
The LifeLabs breach serves as a stark warning: complacency is not an option. The breach’s fallout—ranging from lawsuits to loss of reputation—underscores the catastrophic consequences of neglecting cybersecurity. For small and medium-sized healthcare practices, these risks can be existential. A Toronto based dental practice is testament to that.
Consider the potential damages:
- Legal liabilities: Non-compliance with privacy laws like Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) can result in hefty fines.
- Loss of patient trust: A single breach can tarnish your reputation, deterring patients from seeking care.
- Financial strain: Breaches come with cleanup costs, regulatory fines, and the loss of future business opportunities.
Act now to avoid becoming the next headline.
LifeLabs Loses Bid To Keep It Quiet
Read: LifeLabs data breach report released after firm loses 4-year bid to keep it quiet
A statement from the privacy commissioners of both Ontario and British Columbia says their joint report, completed in June 2020, found that LifeLabs “failed to take reasonable steps” to protect clients’ data while collecting more personal health information than was “reasonably necessary.”
The report ordered LifeLabs to address a number of issues, such as appropriately staffing its security team, and the commissioners’ statement says the company complied with all of the orders and recommendations.
Steps to Fortify Your Cybersecurity As A Healthcare Provider
No organization is immune to cyber risks, but healthcare providers can take proactive steps to mitigate them. Here’s how:
- Conduct a Risk Assessment
Regularly audit your cybersecurity measures. Identify vulnerabilities in systems, workflows, and data storage practices.
- Implement Robust Data Protection Measures
- Encrypt sensitive data to ensure that even if stolen, it’s unusable.
- Use multi-factor authentication (MFA) for all systems to add an extra layer of protection.
- Regularly update and patch software to address known vulnerabilities.
- Train Your Team
- Educate employees on recognizing phishing emails and other common cyber threats.
- Emphasize the importance of strong passwords and secure browsing habits.
- Have an Incident Response Plan
Prepare for the worst by crafting a detailed plan that outlines:
- Immediate actions to contain breaches.
- Clear communication protocols for affected parties.
- Coordination with cybersecurity experts and legal teams.
- Partner with Cybersecurity Professionals
Invest in managed security services to monitor systems 24/7 and respond to threats promptly. Collaborating with experts like FriggP2C ensures that your organization is better equipped to handle evolving cyber risks.
Steps taken by LifeLabs post the data breach
- Appointed a Chief Information Security Officer (CISO), who together with an expanded team, is leading the program of information security improvements;
- Added two new leaders to the LifeLabs team in the roles of Chief Privacy Officer and Chief Information Officer. Both leaders bring substantial experience in cybersecurity and privacy protections, strengthening our practices across the organization;
- Enhanced and accelerated their Information Security Management program through an initial $50 million investment, backing their plan to achieve ISO 27001 certification – a gold standard in information security management that is achieved by only a small number of organizations;
- Engaged an independent third-party professional services firm to objectively evaluate the response to the cyber-attack, efficacy of their security programs and capabilities, and make recommendations for further process enhancements;
- Deploy cyber security firms to monitor the dark web and other online locations for information related to the cyber-attack. To date, no public disclosure of customer data from the attack has been identified.
- Established an Information Security Council with internal and external cyber security experts who will regularly report to their CEO and the Board of Directors on information security practices and protocols;
- Implemented strengthened cybercrime detection technology across the organization;
- Their teams, organization-wide, will participate in annual security and privacy awareness and training programs.
Key Takeaways
- Healthcare organizations are prime targets for cyberattacks. The LifeLabs breach exposed the risks of inadequate cybersecurity.
- Small and medium-sized practices are not immune. Threats like ransomware and phishing can strike any organization.
- Compliance and transparency are critical. Failure to meet privacy regulations can result in steep fines and loss of trust.
- Actionable solutions exist. Conduct risk assessments, implement strong security measures, train staff, and partner with experts.
By learning from LifeLabs’ failures, your healthcare practice can protect patient data, maintain compliance, and uphold trust. Don’t wait until it’s too late—start fortifying your cybersecurity today.
References
Based on the investigation report released by the Saskatchewan Information & Privacy Commissioner
- https://www.cbc.ca/news/canada/british-columbia/lifelabs-data-breach-report-1.7393107
- ***https://customernotice.lifelabs.com/am-i-impacted/
- The company will now pay at least $4.9 million in the negotiated settlement — and up to $9.8 million — depending on the number of claims made.
- https://www.lifelabs.com/statement-from-lifelabs-on-the-joint-investigation-report-by-the-ontario-and-british-columbia-privacy-commissioners/
If You Need Guidance or Immediate Assistance
Contact us at (+91 733-113-2288), or write to us at (service@friggp2c.com | friggp2c@gmail.com)
Also, check out our services like Vulnerability Assessment, Penetration Testing, Code Review, Testing as a Service, and Risk Management on our website www.friggp2c.com. We are determined to work with and for you and make your organization one of the safest business organizations for you, your customers, and all prospective clients.
About the Authors
Amit Sarkar (amit.sarkar@friggp2c.com) is the Founder of Frigg Business Solutions at Sheridan, Wyoming, USA, and Hyderabad, Telangana, India. A seasoned writer whose multiple articles have been published in HCCA and SCCE. He is a former CEO of a US Healthcare Regulatory Compliance service organization, and a senior global leader in HIPAA Compliance, IT Security, Risk Management, and Compliance Governance.
LinkedIn: Amit Sarkar | LinkedIn
A tenured business leader with over two decades of experience leading organizations across multiple domains including healthcare. He has seen the impact of security breaches first hand and has become a passionate advocate for security & compliance preparedness in organizations.
LinkedIn: Ayan Chatterjee | LinkedIn
