Just a few months ago I had to take a series of tests with LifeLabs (blood, urine, physical, etc) to update my immigration papers. Did you know you cannot choose where to take these tests? You are more or less forced to use LifeLabs because the doctors designated by the IRCC <i>(Immigration, Refugees and Citizenship Canada)</i> only partner with LifeLabs to do these tests, it’s an ugly monopoly that is impossible to fight as an immigrant. I knew, from the moment I walked in the laboratory, all the information I was handing and the data they were going to find was going to be leaked sooner than later.<p>I have tried more than once to make secretaries, assistants and nurses to understand how bad most of their systems are and how easy it is to expose the information of all their patients to malicious actors, but arguing with them is pointless because they barely understand what I am talking about or do not have the power to change anything. And the worst thing is, I have to visit LifeLabs again next month for another physical checkup and to take some X-rays and these news will not change anything.<p>Side note…<p>I used to work as a malware researcher for a security information company in the US. One day I remembered the story of Sisyphus:<p>> <i>In Greek mythology Sisyphus was the king of Ephyra (now known as Corinth). He was punished for his self-aggrandizing craftiness and deceitfulness by being forced to roll an immense boulder up a hill only for it to roll down when it nears the top, repeating this action for eternity — <a href="https://en.wikipedia.org/wiki/Sisyphus" rel="nofollow">https://en.wikipedia.org/wiki/Sisyphus</a> </i><p>I ended up quitting my job no long after reading this story because it made me realize I was fighting an endless fight.
If you don’t live in Canada, you might not know that LifeLabs has a virtual monopoly on the lab business. If your doctor wants you to take a blood test, you go to LifeLabs.<p>Whomever broke into their systems knows a great deal about the private health information of a large fraction of Canadians.
“For customers who are concerned, LifeLabs has offered to cover one year of data protection that includes dark web monitoring as well as identity theft insurance.”<p>That’s it? If I was Canadian I’d want to see execs going to jail and or their contract yanked. If they switched over to using a webapp or chromeos on the desktop things would probably be much more secure.<p>But that’s not going to happen, cuz it’s owned by the pension system.
I wonder if medical test results (which I think could include STDs and chronic conditions) were included in the data breach? The downside of EMR is that they can get hacked. If so that can be incredibly personal information and way more serious than the usually the name, birth date and VISA numbers.<p>I guess in the future with all these data breaches one will be able to get any private information on just about anyone by paying for it on the dark net. Basically there will be darknet data brokers who basically have unlimited inventory of information because they aggregate from the various data breaches.<p>Will people get spam calls from a call center in a low cost country that bring up your test results from LifeLabs and threaten to share them with your employer or significant other unless you pay up?<p>If not now, this will be happening in the near future.
The numbers: 15 million people in a country of 37 million had personal information "potentially accessed in this breach." In several provinces, LifeLabs is dominant and sometimes the only option for lab work.<p>Here is the CEO's letter to those 15 million or so victims: <a href="https://customernotice.lifelabs.com" rel="nofollow">https://customernotice.lifelabs.com</a><p>Concerned Canadians could/should contact their government about this incident. I don't have a deep link but assume it's buried in this maze: <a href="https://www.priv.gc.ca/" rel="nofollow">https://www.priv.gc.ca/</a>
Reading the official news release [1], the cynic in me thinks the wording of just "password" indicates that these were plain text passwords. From my experience, when the passwords are hashed/salted, the companies make it a point to include that.<p>[1] <a href="https://www.lifelabs.com/lifelabs-releases-open-letter-to-customers-following-cyber-attack/" rel="nofollow">https://www.lifelabs.com/lifelabs-releases-open-letter-to-cu...</a>
One thing people propose is criminalizing paying ransoms. I feel like this is short minded in that it may prioritize hig value targets like hospitals. I don't have a good answer for how to avoid issues like criminals prioritizing health/ life companies. In general maybe raising the idea the targeting hospitals makes you less than human might help.
This breach seems to be downplayed because it affects the integrity of the entire health system. If medical blood test result data ends up on the dark web, people may likely be able to look up the following about us:<p>- if you have a condition that puts you at higher risk for receiving disability or workers compensation.<p>- if you have been pregnant and when.<p>- if you got tested for an STD because you thought you needed to, and the frequency of your testing.<p>- if you have an STD and around when you contracted it.<p>That's without getting into specifics around medications, and the greater harm of people not getting tests done because they do not trust the privacy and security of the health system. These are typical threat model use cases in health information privacy assessment and systems design.<p>In terms of consequences, the disclosure risk of this information can break up families and households, and silently disqualify people from jobs, both of which put their kids at a long term disadvantage, destroys familial wealth and assets, and in effect impoverishes everyone involved.<p>Once the gravity of this sinks in, I'd be concerned for the mental health of the CEO.
> Through proactive surveillance, LifeLabs recently identified a cyber-attack<p>I'm confused, how do you pass from "proactive surveillance" to "there's a ransom to pay"?
Any cyber security firm that says the risk of a <i>hackers</i> not leaking data because they got paid a ransom, is one that should be blackballed for negligence at best, and fraudulent collusion at worst.
interested in more info about them actually paying the ransom. Not that common a reaction in these corporate/public sector breaches I don't think.
How much did they pay? Was it brokered or direct?<p>Is anyone surprised they actually got the data back?
Why are they convinced the 'hackers' won't still do anything with it.<p>Reporting is weak on this as it doesn't say straight out ransomware that encrypted machine with data. That it likely came from any random email that someone opened. Not that there's some evil hacker person on the other end targetting LifeLabs and it could and does happen to anyone.