Canadian Lab Pays Ransom to 'Retrieve' DataHackers Exfiltrated Data on 15 Million LifeLabs Clients
This story has been updated.
A Canadian medical testing lab acknowledges that it paid a ransom to "retrieve" data stolen by hackers in an incident that apparently did not involve ransomware.
Toronto-based LifeLabs says in a statement issued Tuesday that the attackers gained unauthorized access to data on 15 million individuals in late October. The lab then retrieved the data "by making a payment," it states. "We did this in collaboration with experts familiar with cyberattacks and negotiations with cybercriminals."
Two Canadian regulators - the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia - said in a Tuesday statement they are investigating the incident.
"LifeLabs advised our offices that cybercriminals penetrated the company's systems, extracting data and demanding a ransom. LifeLabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data," the regulators say.
"An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant," says Brian Beamish, information and privacy commissioner of Ontario.
Public institutions and healthcare organizations are responsible for ensuring that any personal information in their custody is secure and protected at all times, Beamish says.
LifeLabs says the vast majority of its customers whose data was exposed live in British Columbia and Ontario, "with relatively few" customers in other locations in Canada.
LifeLabs' investigation into the incident shows that data exposed included customer names, addresses, emails, birthdates, logins, passwords, health card numbers and, in some cases, lab results.
"At this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyberattack is low and that they have not seen any public disclosure of customer data during their investigations, which include monitoring of the dark web and other online locations. We have engaged law enforcement, and their investigation is underway," the company says.
"While we've been taking steps over the last several years to strengthen our cyber defenses, this has served as a reminder that we need to stay ahead of cybercrime which has become a pervasive issue around the world in all sectors," the LifeLabs statement adds.
Affected individuals are being offered one year of pre-paid credit monitoring that includes dark web monitoring and identity theft insurance.
In the meantime, several class action lawsuits have already been filed against LifeLabs by individuals impacted by the breach, reports Canadian news site, The Province.
The ransom demand by hackers in the LifeLabs attack is very concerning, notes Cathie Brown, vice president of professional services at privacy and security consulting firm Clearwater.
"Extortion is not new and has been around a long time, but this case is disturbing because it is so large and the information is extremely sensitive," she says. The risks to those affected is high for the potential of identity theft - both financial and medical. Plus, compromised credentials for logons to the company's portal, and exposure of lab results, is especially worrisome. This is yet another call to action for the healthcare sector to mature their security posture and have incident response and data recovery plans in place."
LifeLabs did not immediately respond to an Information Security Media Group request for additional information about the attack, including how the company determined the attackers did not retain a copy of any data.
Hackensack Meridian Health Attack
Meanwhile, in the U.S., Edison, New Jersey-based Hackensack Meridian Health, which has 17 hospitals and other care locations in the state, tells ISMG that it paid a ransom to unlock systems that were hit by a ransomware attack last week. It declined to reveal the amount paid.
"The incident was discovered quickly, and we took immediate steps to remediate the problem, including notifying the FBI, other law enforcement and regulatory authorities," Hackensack Meridian Health tells ISMG in a statement. "We also engaged external cybersecurity and forensic experts to support our investigation, which is ongoing."
The organization's primary clinical systems are again operational, and IT teams are continuing to bring all applications back online, the statement notes. "Based on our investigation to date, we have no indication that any patient or team member information has been subject to unauthorized access or disclosure."
The FBI advises against paying a ransom to attackers because it can put an entity potentially more at risk for future attacks, and there is no guarantee that the cybercriminals will release or unlock data after receiving the payment.
The U.S. Department of Health and Human Services' Office for Civil Rights recently issued updated guidance on the growing threat posed by ransomware and other increasingly targeted cyberattacks.
"The FBI estimates that ransomware infects more than 100,000 computers a day around the world and ransom payments approach $1 billion annually," OCR notes. "Unfortunately, these numbers are only expected to rise in the future. Ransom payments, however, do not account for all of the costs associated with a ransomware attack.
"Unrecoverable data, lost productivity, damage to reputation, damaged equipment, forensic investigations, remediation expenses, and legal bills are some of the additional costs that can be expected when responding to a ransomware attack. The actual cost of a ransomware attack may be several times more than just the ransom paid. .... The emergence of targeted attacks shows that threat actors are adapting to steps taken by organizations to combat the risk of ransomware infections," OCR notes.
Advances in malware detection and containment tools can assist entities in identifying intrusions into their IT system and initiating defenses before their data is encrypted, OCR adds. "Further, the implementation of the robust security measures required by HIPAA can prevent or greatly reduce the impact of ransomware attacks."
While the FBI and other law enforcement generally warn against paying attackers, healthcare organizations faced with lingering disruptions to patient care are often forced to make difficult choices on the fastest possible ways to recover, some experts note.
"Ultimately the decision to pay a ransom has to be risk-based. Every organization in the healthcare sector should have a plan in place for quickly assessing the risks and responding to ransomware," Brown says.
"It is imperative to know before an attack how long the business and patient units can function at an acceptable level, how long it will take to recover the systems, and also imperative for practicing downtime operations," she notes.
"The best case scenario is the ability for an organization to recover sufficiently and follow the FBI's recommendation. We know that's not the case in most instances."
The healthcare sector has been a target for attacks involving ransoms because of the extreme sensitivity to system outages and the relative low maturity of the security and risk management programs in place, Brown adds.
"What I do see changing is the focus within healthcare entities and business associates to move from 'check the box' compliance to a more secure environment. Overall, that is what will help to decrease the impact of ransomware [and other] attacks."