Yesterday, LifeLabs sent an email out to all their patients with an update of what they have done since they announced a data breach in December 2019. If you didn’t receive an email, you can read the full announcement here .
In their update, LifeLabs President ad CEO Charles Brown said, “we have enhanced and accelerated our Information Security Management program through an initial $50 million investment, backing our plan to achieve ISO 27001 certification- a gold standard in information security management that is achieved by only a small number of organizations.” In addition, LifeLabs has appointed a Chief Information Security Officer (CISO) as well as a Chief Information Officer (CIO) and a Chief Privacy Officer (CPO). The company also promised that all of its staff will undergo regular annual cyber security awareness training.
In case you’ve forgotten, the LifeLabs data breach affected 10 million people in Ontario, and 5 million people in BC. Patient names, addresses, birthdates, email addresses, customer logins and passwords, health card numbers and lab test results were affected by the breach. At the time, it seemed like LifeLabs didn’t take their cyber security as seriously as they should have. LifeLabs paid an undisclosed ransom amount to in an attempt to keep the data from leaking out onto the dark web. So far, it doesn't appear the information has surfaced. Since that time, it seems that the company is taking steps to address the security holes they had previously. Brown’s letter says that cyber security is a top priority going forward: “2019’s cyber-attack is a strong reminder that we must continuously work to protect ourselves against cybercrime. Data protection and privacy are now central to everything we do. In fact, through our partnership with experts, the healthcare sector, governments, and IT companies, LifeLabs is making a commitment to become a global leader in protecting healthcare data.” Patients in Ontario and BC have to wonder, why didn't LifeLabs address this issue beforehand?
LifeLabs is still committed to providing one full year of free cyber protection services including dark web monitoring and identity theft insurance. Patients can still register for these services until the end of 2020 by calling 1-888-221-2082.
So what have we learned from the LifeLabs breach? First off, if your business is in any way responsible for handling private personal information, you have an obligation to protect it. Ask yourself these questions: What are you doing to protect data? When was the last time your organization had a data protection assessment? Is it regularly tested and reviewed? Does your business have a breach readiness plan? How would your business handle a breach? If you aren’t sure how to answer any of these questions, Uzado can help. Contact us about our cyber security services.