LifeLabs Data Breach Report Sheds Light on Key Failures in Data Protection

Published on November 28, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

The 2019 ransomware attack on Canadian medical testing company LifeLabs resurfaced as the complete investigation report was published, uncovering a series of significant security shortcomings that contributed to one of the most notable data breaches in Canada's healthcare sector.

The full investigative report by British Columbia and Ontario privacy commissioners became public after four years of legal delays.

The commissioners' investigation identified major lapses in LifeLabs' data protection processes, including insufficient measures to protect personal and health information from theft, loss, or unauthorized access and a lack of adherence to relevant privacy laws, including PIPA and PHIPA. 

The company allegedly collected more personal health information than necessary to fulfill its stated purpose and had no clear process to notify affected individuals promptly and inform them of the specific data compromised without requiring a formal access request.  

Patricia Kosseim, Ontario’s Information and Privacy Commissioner, emphasized the gravity of these shortcomings, stating, "Personal health information is particularly sensitive, and privacy breaches can have devastating impacts for individuals."  

The attack encrypted sensitive lab results of 15 million Canadians and compromised the personally identifiable information (PII) of 8.6 million individuals. 

Despite responding to the breach by notifying customers and regulators, LifeLabs has faced heavy criticism for its inadequate handling of sensitive information before and during the incident.

LifeLabs revealed it paid a ransom to recover the encrypted data, ensuring it wasn't publicly disclosed or sold online. A Malwarebytes follow-up investigation corroborated LifeLabs' claim, noting no signs of leaked data from this breach on the dark web or other digital platforms.  

However, relying on cybercriminals’ assurances raises concerns about the long-term security of the affected data. A ransomware group’s promise to withhold compromised information cannot be guaranteed, leaving an air of uncertainty for LifeLabs' customers.  

The unveiling of this report shines a spotlight on the importance of transparency and strong data protection measures, particularly in sectors like healthcare, where privacy breaches can have severe consequences. Four years of legal resistance by LifeLabs illustrate the challenges of ensuring accountability within corporations. 

Cyberattacks on the healthcare industry are not new. American company Change Healthcare was hit by a ransomware attack earlier this year, which impacted its customer database, exposing personal details such as health and PII.

In July, HealthEquity announced suffering a security breach that affected 4.3 million customers due to data stolen from a third party with access to HealthEquity’s SharePoint data.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: