Medical biz LifeLabs fesses up: Hackers slurped 15 million customer records – and we paid them to hand it all back

Canadian medical testing specialist LifeLabs says miscreants were able to break into its corporate network and access systems containing the sensitive and personal records of 15 million customers.

While most of the files contained basic information, such as names, home and email addresses, dates of birth, login passwords, and health card numbers, an additional 85,000 customers also had the results of their laboratory tests, conducted in 2016 or earlier, exposed, we're told.

"The vast majority of these customers are in British Columbia and Ontario, with relatively few customers in other locations," LifeLabs CEO Charles Brown told customers this week.

"In the case of lab test results, our investigations to date of these systems indicate that there are 85,000 impacted customers from 2016 or earlier located in Ontario; we will be working to notify these customers directly. Our investigation to date indicates any instance of health card information was from 2016 or earlier."

LifeLabs says that it will offer all customers whose personal data was exposed one year of free identity theft and fraud protection services, as is customary in these situations. In addition to bringing in security consultants and the police, the lab said it notified Canadian privacy commissioners about the intrusion.

"Personally, I want to say I am sorry that this happened," Brown said in the mea culpa. "As we manage through this issue, my team and I remain focused on the best interests of our customers."

You. Quest and LabCorp. Explain these medical database super-hacks, say US senators as 425,000 more people hit

READ MORE

The medical outfit noted it has not seen any indication that the pilfered data has been released to the public. In fact, LifeLabs said it paid off the hackers to "retrieve" the swiped database, which we understand to mean it got a copy of the information with a promise from the crooks not to further leak or exploit the data.

"We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals," Brown noted.

Of course, the hackers may still decide to turn around and spaff out the data anyway. Criminals aren't always the most trustworthy when it comes to this sort of thing.

While the Feds warn companies against caving to extortionists, the idea of paying off hackers to secure or retrieve stolen information has become a more acceptable option than it once was.

Organizations are strongly advised, however, to only entertain the idea of paying a ransom after consulting infosec gurus who are well-versed in ransomware and have a working knowledge of the hackers making the demand. ®