LifeLabs, a Canadian based healthcare organization, was the victim of a cyberattack in November 2019. After an investigation conducted by Ontario and British Columbia Information and Privacy Commissioners, it was found that the LifeLabs data breach was the result of inadequate security policies and safeguards.
LifeLabs Data Breach: What Happened?
November 1, 2019 – LifeLabs data breach was discovered, affecting 15 million patients, the second-largest healthcare breach reported in 2019. Hackers infiltrated LifeLabs computer systems, risking patients’ protected health information (PHI). Data that may have been exposed in the hack include health card information, patients’ lab results, emails, contact details, login information, and dates of birth.
Following the attack, LifeLabs worked with cybersecurity experts to negotiate the return of the stolen data. To regain access to its patients’ data, LifeLabs paid hackers to return the stolen files.
December 2019 – LifeLabs notified patients that their sensitive information may have been compromised. Soon after the notification, patients filed multiple lawsuits claiming that LifeLabs was negligent since it failed to protect their data. The lawsuits also claim that LifeLabs violated privacy and consumer protection laws when it failed to implement adequate security safeguards. The filed lawsuits are asking for $1.1 billion to compensate the victims of the LifeLabs data breach.
LifeLabs Data Breach: Improving Security
Following the healthcare breach, LifeLabs was required to implement security measures to ensure that an attack of this nature doesn’t occur again.
These measures include:
◈ Appointing a Chief Information Security Officer
◈ Third-party Cyberattack Evaluation
◈ Cybercrime Detection Technology
◈ Implementing Security Policies and Procedures
In addition to these security measures, the commissioners ordered LifeLabs to cease collecting data, and to dispose of previously collected data in a secure fashion. LifeLabs must also improve their notification processes.
“This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks,” Brian Beamish, Information and Privacy Commissioner of Ontario, said in a statement. “I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation.”
Need Help with HIPAA?
Let our complete HIPAA solution handle it.