Overview

• Attack detected October 28, 2019; ransomware actors exfiltrated lab and personal information.
• Approx. 8.6 million customers impacted across multiple provinces.
• Compromised data included names, addresses, dates of birth, provincial health card numbers, and lab results.
• LifeLabs paid ransom to prevent public release and regain control of the data.

Investigation & Findings

• Joint report by Ontario and B.C. Privacy Commissioners (June 2020) found insufficient safeguards in place.
• LifeLabs collected more data than necessary and failed to secure it according to industry best practices.
• Policy gaps and outdated IT controls left critical personal health information exposed.

Remediation & Lessons Learned

• Appointment of CISO, CPO, CIO, and a dedicated Information Security Council reporting to the board.
• $50 million invested to achieve ISO 27001 certification and modernize IT infrastructure.
• Independent third-party audits, dark-web monitoring, and annual security training mandated.
• Victims offered up to $150 each in class-action settlement, with over 900,000 valid claims processed.