
LifeLabs pays ransom after data breach affecting up to 15M Canadians - eswat
https://www.theglobeandmail.com/business/article-lifelabs-pays-ransom-after-massive-data-breach-affecting-up-to-1/
======
guessmyname
Just a few months ago I had to take a series of tests with LifeLabs (blood,
urine, physical, etc) to update my immigration papers. Did you know you cannot
choose where to take these tests? You are more or less forced to use LifeLabs
because the doctors designated by the IRCC _(Immigration, Refugees and
Citizenship Canada)_ only partner with LifeLabs to do these tests, it’s an
ugly monopoly that is impossible to fight as an immigrant. I knew, from the
moment I walked in the laboratory, all the information I was handing and the
data they were going to find was going to be leaked sooner than later.

I have tried more than once to make secretaries, assistants and nurses to
understand how bad most of their systems are and how easy it is to expose the
information of all their patients to malicious actors, but arguing with them
is pointless because they barely understand what I am talking about or do not
have the power to change anything. And the worst thing is, I have to visit
LifeLabs again next month for another physical checkup and to take some X-rays
and these news will not change anything.

Side note…

I used to work as a malware researcher for a security information company in
the US. One day I remembered the story of Sisyphus:

> _In Greek mythology Sisyphus was the king of Ephyra (now known as Corinth).
> He was punished for his self-aggrandizing craftiness and deceitfulness by
> being forced to roll an immense boulder up a hill only for it to roll down
> when it nears the top, repeating this action for eternity
> —[https://en.wikipedia.org/wiki/Sisyphus](https://en.wikipedia.org/wiki/Sisyphus)
> _

I ended up quitting my job no long after reading this story because it made me
realize I was fighting an endless fight.

~~~
aguyfromnb
> _Did you know you cannot choose where to take these tests?_

Welcome to the Canadian Healthcare system. It's free, but not without issue,
even ignoring the long wait times and inability to _get_ a doctor in most
places in the country.

Did you know I'm not allowed to go get my blood tested privately, even if I
pay for it? That I require a requisition from a doctor (which I don't have, so
I have to go to a walk-in clinic and take up the time of a doctor who could
care less what they are signing)? And that the results then get shared back
with said doctor, who's discretion it is _what_ data he shares with me? It's
bizarre.

I often see Americans pointing to Canada's system as a shining example. I
mean, sure, we don't have crushing medical debt, which is AWESOME. But our
healthcare system has so many problems itself...

~~~
SketchySeaBeast
What use case is there for getting your blood tested without getting a doctor
involved?

~~~
endorphone
If you're bio-hacking, taking steroids for `recreation' and monitoring
testosterone, just curious, etc, it does seem reasonable that you should be
able to pay for and get your own tests. There are options that facilitate
that, though it's a burgeoning market given that the overwhelming majority are
ordered, and paid for, through the public system.

------
ttul
If you don’t live in Canada, you might not know that LifeLabs has a virtual
monopoly on the lab business. If your doctor wants you to take a blood test,
you go to LifeLabs.

Whomever broke into their systems knows a great deal about the private health
information of a large fraction of Canadians.

~~~
Consultant32452
In the US this title seems to be held by Quest diagnostics.

~~~
dqv
Well Quest but also LabCorp. If we go on employee count, then LabCorp would
have the bigger hold. I can't tell if Sonora Quest and Bioreference are
subsidiaries of either of these two larger companies.

------
rayhendricks
“For customers who are concerned, LifeLabs has offered to cover one year of
data protection that includes dark web monitoring as well as identity theft
insurance.”

That’s it? If I was Canadian I’d want to see execs going to jail and or their
contract yanked. If they switched over to using a webapp or chromeos on the
desktop things would probably be much more secure.

But that’s not going to happen, cuz it’s owned by the pension system.

~~~
bikeshaving
Does anyone know what “dark web monitoring” actually involves, and what sorts
of firms provide this kind of service?

~~~
chx
It's called Snake Oil Consulting Inc and the sorts of firm that has very very
good contacts to the federal gubmint...

------
bhouston
I wonder if medical test results (which I think could include STDs and chronic
conditions) were included in the data breach? The downside of EMR is that they
can get hacked. If so that can be incredibly personal information and way more
serious than the usually the name, birth date and VISA numbers.

I guess in the future with all these data breaches one will be able to get any
private information on just about anyone by paying for it on the dark net.
Basically there will be darknet data brokers who basically have unlimited
inventory of information because they aggregate from the various data
breaches.

Will people get spam calls from a call center in a low cost country that bring
up your test results from LifeLabs and threaten to share them with your
employer or significant other unless you pay up?

If not now, this will be happening in the near future.

------
emptybits
The numbers: 15 million people in a country of 37 million had personal
information "potentially accessed in this breach." In several provinces,
LifeLabs is dominant and sometimes the only option for lab work.

Here is the CEO's letter to those 15 million or so victims:
[https://customernotice.lifelabs.com](https://customernotice.lifelabs.com)

Concerned Canadians could/should contact their government about this incident.
I don't have a deep link but assume it's buried in this maze:
[https://www.priv.gc.ca/](https://www.priv.gc.ca/)

------
imposterr
Reading the official news release [1], the cynic in me thinks the wording of
just "password" indicates that these were plain text passwords. From my
experience, when the passwords are hashed/salted, the companies make it a
point to include that.

[1] [https://www.lifelabs.com/lifelabs-releases-open-letter-to-
cu...](https://www.lifelabs.com/lifelabs-releases-open-letter-to-customers-
following-cyber-attack/)

~~~
slantyyz
I think the big concern is the presumption of a non-techie that a medical
company would take good care of their information, because of regulations,
etc.

I would not be surprised if a LOT of Lifelabs customers used the same password
on their Lifelabs accounts that they use for their email. FWIW, Lifelabs has
two sub-sites that use different credentials - one for test results, and one
for booking appointments.

------
g82918
One thing people propose is criminalizing paying ransoms. I feel like this is
short minded in that it may prioritize hig value targets like hospitals. I
don't have a good answer for how to avoid issues like criminals prioritizing
health/ life companies. In general maybe raising the idea the targeting
hospitals makes you less than human might help.

~~~
Thorrez
Why would criminalizing paying ransoms cause attackers to target hospitals? I
would think hospitals would have a fairly strict compliance effort, whereas
Joe Schmoe probably never even heard that it's illegal to pay a ransom.

------
motohagiography
This breach seems to be downplayed because it affects the integrity of the
entire health system. If medical blood test result data ends up on the dark
web, people may likely be able to look up the following about us:

\- if you have a condition that puts you at higher risk for receiving
disability or workers compensation.

\- if you have been pregnant and when.

\- if you got tested for an STD because you thought you needed to, and the
frequency of your testing.

\- if you have an STD and around when you contracted it.

That's without getting into specifics around medications, and the greater harm
of people not getting tests done because they do not trust the privacy and
security of the health system. These are typical threat model use cases in
health information privacy assessment and systems design.

In terms of consequences, the disclosure risk of this information can break up
families and households, and silently disqualify people from jobs, both of
which put their kids at a long term disadvantage, destroys familial wealth and
assets, and in effect impoverishes everyone involved.

Once the gravity of this sinks in, I'd be concerned for the mental health of
the CEO.

------
riquito
> Through proactive surveillance, LifeLabs recently identified a cyber-attack

I'm confused, how do you pass from "proactive surveillance" to "there's a
ransom to pay"?

~~~
faeyanpiraat
They probably asked the attackers to provide info about the stolen data, but
they only help in return of a payment.

------
dannyw
Any cyber security firm that says the risk of a _hackers_ not leaking data
because they got paid a ransom, is one that should be blackballed for
negligence at best, and fraudulent collusion at worst.

------
dmix
That’s a whole lot of STD tests and other highly personal details they got
access to which could have been way worse than a ransomware.

------
ChrisArchitect
interested in more info about them actually paying the ransom. Not that common
a reaction in these corporate/public sector breaches I don't think. How much
did they pay? Was it brokered or direct?

Is anyone surprised they actually got the data back? Why are they convinced
the 'hackers' won't still do anything with it.

Reporting is weak on this as it doesn't say straight out ransomware that
encrypted machine with data. That it likely came from any random email that
someone opened. Not that there's some evil hacker person on the other end
targetting LifeLabs and it could and does happen to anyone.

------
rkagerer
Non-paywalled: [http://archive.is/mwQN6](http://archive.is/mwQN6)

