7 million Ontario residents had their personal medical data compromised, investigation reveals

A recently revealed investigation has disclosed that millions of Ontario residents’ medical information was leaked after the Canadian laboratory service LifeLabs was hacked.

According to the now-available 2020 report (by Information Privacy Commissioners in Ontario and British Columbia), LifeLabs suffered a major cyber attack in 2019, when ransomers held crucial patient-related data hostage for a brief period.

After the initial ransom was paid, the hackers returned the stolen data to LifeLabs, which was revealed to contain the personal medical information of 16-million Canadians.

At the time of the report, LifeLabs stated there was no evidence implying that any third party had abused the data during the ransom period.

Core numbers then revealed that out of the 16-million compromised patients, over 7-million were located in Ontario.

When confronted with the reality of the stolen data, LifeLabs noted that most of the compromised information was not overtly sensitive, indicating that a little over one per cent of the data contained actual lab results.

Throughout the report, LifeLabs stuck to the notion that the information leaked wasn’t strictly vital medical data, with investigation results showing that the majority of the compromised data was provincial health card numbers and personal healthcare contacts.

However, not all parties were on board with this sentiment, as commissioners overseeing the report indicated, “We disagree with LifeLabs’ assessment and find their approach to be very cavalier regarding the privacy of their client’s health information. For example, we completely reject the idea that health card numbers are not sensitive. All the compromised personal health information and personal information was sensitive.”

Beyond the sentiment held by commissioners that there is no such thing as non-sensitive medical data, the report then delved into the fact that if most of the information stolen had ties back to personal healthcare practitioners, it inherently violates the privacy of all impacted individuals.

Investigators went on to note that if a patient had links to an oncologist as a result of a cancer diagnosis (or other ailments), it is their prerogative of who they allow to know this information, and that theft of this information makes any personal agency over one’s health moot.

In addition to this testimony, commissioners relayed that personal information inferred from one’s medical history also comes with the possibility of blackmail or extortion.

Conclusions on the nature of the data breach also revealed that security questions and answers were likely compromised as well.

As a result, digital securities could be guessed and potentially breached, leading those investigating the hack not to be pleased with LifeLabs’s approach to not notify those potentially impacted.

“While we are satisfied with the steps LifeLabs took to contain the breach, evaluating and reporting the breach as a low risk of harm to individuals does not adequately inform or prepare individuals of the actions they can take on their own to further mitigate the risk of harm,” stated commissioners in the report.

The investigation then noted that as a byproduct of the hack, LifeLabs was made to overhaul its patient notification system, update IT protocols, bolster security and scrub any non-relevant personal data related to patients — all of which came into effect in 2021.

All materials mentioned in the report were made public on November 25, 2024, specifically, after the Ontario Court of Appeal dismissed a bid from LifeLabs to block any public knowledge of the investigation.