The company announced the breach in a press release posted on its website, revealing that an unknown attacker unauthorizedly accessed its computer systems last month and stole customers' information, including their:
- Email addresses
- Login information
- Passwords, for their LifeLabs account
- Dates of birth
- Health card numbers
- Lab test results
The Toronto-based company discovered the data breach at the end of October, but the press release does not say anything about the identity of the attacker(s) and how they managed to infiltrate its systems.
However, LifeLabs admitted it paid an undisclosed amount of ransom to the hackers to retrieve the stolen data, which indicates that the attack might have been carried out using a ransomware style malware with data exfiltration abilities.
"Retrieving the data by making a payment. We did this in collaboration with experts familiar with cyber-attacks and negotiations with cybercriminals," the company said while announcing several measures it took to protect its customers' information.
LifeLabs also said the majority of affected customers, who used its labs for diagnostic, naturopathic, and genetic tests, reside in British Columbia and Ontario, with relatively few customers in other locations.
"In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly," the press release read.
"Our investigation to date indicates any instance of health care information was from 2016 or earlier."
LifeLabs said it immediately involved "world-class cybersecurity experts" to isolate and secure the affected computer systems and determine the scope of the cyber attack.
The company also stated that it had already notified law enforcement, privacy commissioners, and government partners to investigate the breach incident.
While LifeLabs has taken several steps to fix the system issues related to the cyber attack and strengthen its cyber defenses by placing additional safeguards to protect your information, it is also offering one free year of identity theft insurance.
"Any customer who is concerned about this incident can receive one free year of protection that includes dark web monitoring and identity theft insurance," LifeLabs said.
Since the exposed data includes users' account login information, affected users are strongly advised to change their passwords on the company's website as well as on any other where they have reused the same password.