In the wake of a recent cyberattack against LifeLabs, a Canadian-owned healthcare company, it sent out an email blast to customers with details about the impact and asking them to reset passwords.
In December 2019, LifeLabs disclosed the attack, which potentially exposed the data of 15 million customers. The company said that about 85,000 lab test customers were impacted in Ontario.
The email notice reiterates most of what we already know. It opens by acknowledging that customer information including name, address, email, logins, passwords, date of birth, health card number, gender, phone number, password security questions and lab test results could have been accessed in the attack.
Further, the email notes that LifeLabs’ “investigations to date indicate that your online appointment booking account was within the systems that were potentially affected.”
LifeLabs stressed in the email that the ‘my ehealth’ and ‘my results’ portals used by patients to access test results were not affected by the attack. It also notes those who receive the email may not be one of the 85,000 lab test customers impacted by the attack. Those customers will be notified by LifeLabs separately.
Finally, the email states that LifeLabs’ cybersecurity firms believe the risk to customers in connection with the attack is low. Further, the firms “have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”
The email then details various security steps customers should take to secure their accounts. First, and most importantly, LifeLabs says it has secured users’ accounts used to access its online appointment booking system. All users will be required to create a new password next time they log into their account unless they have already reset their passwords after December 17th, 2019.
LifeLabs also includes password security advice and asks customers to use unique passwords and security questions and answers on all sites requiring logins. Passwords should also be strong and complex so that they cannot be guessed.
Additionally, the email notes that LifeLabs is offering cybersecurity protection services to customers free of charge. The service includes dark web monitoring and identity theft insurance for one full year. Customers can learn more about that service here.
LifeLabs closes out the email with an apology to its customers and reiterates that it has notified the privacy commissioner of the attack, as well as its government partners. It is also facing a $1.13 billion lawsuit over the breach.
You can learn more about the attack here.