Lessons Learned #3: LifeLabs Data Breach

This is the third blog post of our blog series on the topic of Lessons Learned. In our first article, we had a look at the BlackRock data breach and in our second article, we shed light on Earl Enterprises Data Breach. This blog post is intended to assist health care practices in reevaluating their existent health information security policies. Previously, we have created a Q&A content on cyber security in healthcare industry with the intention to make the cyber security issues identifiable.


Fact

In November of 2019, LifeLabs notified the Office of the Information and Privacy Commissioner of Ontario of a potential cyber attack on their computer systems. A month later, the organisation publicly confirmed that they were the subject of a cyber attack on their systems. LifeLabs is a Canadian-owned company that has been serving the healthcare needs of Canadians for nearly five decades. It has 16 laboratories and over 5700 professionally trained staff members. Almost half of Canada’s total population has had some sort of testing carried out by the company as part of their routine health care.

As a matter of fact, the breach in question is known to be the largest to date in Canada and the first to include sensitive health data gathered by a major laboratory. A joint investigation executed by information and privacy commissioners in both British Columbia and Ontario has since discovered the company failed to allocate adequate safeguard activities and technology security policies to protect that personal information and also accumulated more personal health data than was necessary.

Since the incident, LifeLabs employed a third-party professional services firm to assess its cyber attack response and efficiency of its security program, as it continues to engage external cyber security teams to surveil the dark web and other online information regarding the data breach.


Result

The personal information of about 15 million Canadians was extracted by cyber criminals, mainly residents of British Columbia and Ontario. This information included names, addresses, emails, date of birth, national health card numbers from 2016, and earlier. Customer login IDs and passwords appear to have also been exfiltrated in the breach.

In the public statement, LifeLabs stated that they made some sort of payment to regain the stolen information. The company did not reveal detailed information on the nature of the attack, so it lived Canadians doubtful about the current level of risk to their personal information.

Lessons Learned #3 LifeLabs Data Breach

There were three proposed class action lawsuits in response to the LifeLabs data breach. The largest of these was seeking 1.13 billion US dollars in damages plus an added 10 million US dollars in punitive penalties. The suit described here claimed that the LifeLabs data breach was a result of a failure of sufficient cyber security safety controls, hence the company infringed its own privacy policy in allowing it to occur.


Key takeaways for businesses

There are a number of characteristics that make the healthcare industry an ideal target for cyber criminals. For example, crippling IT systems is relatively easier than in other leading sectors because of insufficient investment in IT security within the healthcare sector. On the other hand, healthcare is known as the industry where employees are the predominant threat actors in data breaches. What we see is that healthcare organisations find themselves under cyber attacks from numerous vectors, including ransomware, malware, or targeted attacks.

Organizations responsible for collecting and storing sensitive information, like healthcare records, should have heightened security protocols in place to protect the information, and to minimise the risk of having it compromised by intruders. Cyber attacks impair the ability of a healthcare provider to function properly.

The first takeaway is to create a security culture in the first place. In other words, it is important to establish a security-minded educational culture that makes good practices become automatic. That should be followed by conducting information security education on an ongoing basis. The second takeaway would be planning for the unexpected. Life does not always follow a script so get ready for what is coming next. Planning for the unexpected include creating regular and reliable data backups, protecting backup media with access controls, and testing backup media regularly for the ability to appropriately restore data. Last but not least, have a sound recovery plan: know what data was backed up, when the backup was done, and where backups are stored.


Looking for more insights like this?

Data breaches are unfortunately prevalent in the healthcare industry. Organisations must think about implementing a strong security management program and critically investigate their security holes as well as the threat environment to lessen potential harm to both the entity and its patients. Swiss Cyber Forum advises organisations to take the risks seriously as they are a present and growing problem, and they must build cyber threat awareness throughout the organisation.

Would you like to know more about how can data breaches be prevented and what steps should you take? Download our first exclusive whitepaper – 10 Most Interesting Data Breaches in 2019: Key Takeaways for Businesses. This material is free of charge. Just fill up the form and you will immediately receive the link to your personal copy of our whitepaper.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Recent Posts