LifeLabs Privacy Breach

December 17, 2019



When were you notified of the breach?

On November 1, LifeLabs notified both the Office of the Information and Privacy Commissioner of Ontario and the Information and Privacy Commissioner for British Columbia that, through their cybersecurity monitoring systems, they had detected a potential breach. LifeLabs has since confirmed they were the subject of a cyberattack on their computer systems. They advised us that cyber criminals penetrated the company’s systems, extracting data and demanding a ransom. LifeLabs paid the ransom to secure the data.

How many people were affected?

LifeLabs is still investigating the number of people who were affected but we understand this is a large-scale breach of systems containing information of an estimated 15 million people.

LifeLabs has advised that the vast majority of their customers are in B.C. and Ontario with very few customers in other locations and that if customers have visited LifeLabs for a test, or received a test or service from LifeLabs Genetics and Rocky Mountain Analytical, their information is likely in their database.

What kind of information was affected?

LifeLabs has informed us that the information in the systems includes names, addresses, emails, customer logins and passwords, date of birth, health card numbers, and, for some customers, lab tests.

What role are the privacy commissioners playing?

The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC are investigating this incident. As part of this investigation, we are working to assess:

  • the impact of the breach
  • the adequacy of LifeLabs’ security measures and response to the breach, and
  • what measures will be necessary to avoid further breaches.

When will the investigation be complete?

We are hoping to complete the investigation as soon as possible. However, each case is unique and the timing subject to the specific context. We also want to ensure that our investigation is thorough and canvasses all of the issues that concern the public.

Our findings and recommendations will be made public when the investigation is complete.

What can organizations do to protect themselves from cyberattacks?

Various strategies for defending against and responding to a cyberattack include:

  • employee training
  • limiting user privileges
  • software protection

Depending on the size and scope of the organization, they may want to hire a third party security consultant to assist in making sure data systems are secure and protected.

Unfortunately, these kind of attacks – and the bad actors who perpetrate them – are becoming increasingly sophisticated.

Even if an organization does everything right, there is no guarantee that they will not fall victim to a cyberattack.

It’s important to be vigilant, and continuously examine cybersecurity systems, including staff training and other technical and administrative measures.

There is guidance available for organizations that outline steps to protect personal data from cyberattack and how to respond to a privacy breach. They include:

What can someone do if they are affected by the breach?

We recognize that a breach of sensitive personal information can cause distress for those who are affected.

LifeLabs has indicated that any individual concerned about the incident can receive free protection that includes web monitoring and identity theft insurance. Customers should visit or call 1-888-918-0467.

People affected by the breach are not required to file individual complaints with our office. Our investigation is already underway and we will release our findings and recommendations once it is completed. We will be working to address the interests of everyone affected by this breach.


Media contacts:

Office of the Information and Privacy Commissioner of Ontario
Jason Papadimos

Office of the Information and Privacy Commissioner for British Columbia
Jane Zatylny