The health information of nearly 2,900 Yukoners may have been accessed during a recent cyberattack on Canadian laboratory testing company LifeLabs.
The Yukon’s Information and Privacy Commissioner (IPC), Diane McLeod-McKay, made the announcement in a press release Dec. 17, the day after she was informed of the breach by the company.
According to the release, the personal health information of 34 Yukoners was confirmed to have been disclosed during the breach “because this information was recovered from the hackers.” Up to 2,864 Yukoners may be affected.
Those Yukoners are part of the approximately 15 million Canadians whose health information may have been accessed during the cyberattack.
LifeLabs president and CEO Charles Brown announced the attack in an open letter Dec. 17, which said hackers obtained “unauthorized access” to computer systems containing information including names, addresses, emails, dates of birth, health card numbers and lab test results.
LifeLabs paid a ransom to retrieve the data, the letter says, and the matter is under investigation by authorities. It does not say when the attack occurred.
“I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyberattack is low and that they have not seen any public disclosure of customer data as part of their investigations,” the letter says.
The majority of people possibly impacted by the breach live in British Columbia and Ontario. LifeLabs informed the IPCs of those provinces on Nov. 1.
The IPC offices have since launched an investigation.
In an interview, McLeod-McKay said LifeLabs told her she was informed on Dec. 16 because the company had only “recently” become aware that Yukoners were affected.
The Yukon IPC was not provided with the names of affected Yukoners. Yukoners concerned their information may have been accessed should contact to LifeLabs at 1-888-918-0467.
LifeLabs will also being contacting affected Yukoners directly, although it’s not clear how soon that will happen.
McLeod-McKay said she’s waiting to see if any Yukon health information custodians have or had contracts with LifeLabs, and whether their patients’ information may have been impacted by the breach.
If so, the cyberattack would count as a breach of the Yukon’s Health Information Privacy and Management Act that would require the custodian to report it to the Yukon IPC, at which point McLeod-McKay could begin a review.
That, however, has not yet happened.
“At this point, we have very limited information,” she said.
The territory’s two largest health information custodians are the Yukon Hospital Corporation (YHC) and the Department of Health and Social Services (HSS).
YHC spokesperson Matt Davidson confirmed in an email Dec. 18 that the corporation currently has a contract with LifeLabs to perform “three specialized tests that represent a limited number of patients and test samples.”
Those tests are the urea breath test, which helps diagnose gastritis, gastric ulcer, and peptic ulcer disease, the radioallergosorbent test (RAST), a specialized blood test for allergies, and sperm morphology test, which assesses the size and shape of individual sperm.
YHC sent approximately 1,600 tests to LifeLabs over the past year, Davidson wrote, which represent “well below one per cent of all tests received in our medical laboratory,” and it’s currently working with the IPC and LifeLabs to see if those patients’ information was affected by the breach.
HSS spokesperson Patricia Living said the department does not have any contracts with LifeLabs but is working with YHC and the IPC.
McLeod-McKay said Dec. 17 that LifeLabs has not been able to tell her where the Yukon data originated from — whether it was collected while Yukoners were accessing health care services Outside, or from services in-territory. The company did, however, confirm it was working on reviewing its contracts to see if there were any requiring it to notify the other party of data breaches, McLeod-McKay said, and she’s encouraging Yukon custodians to be proactive about reporting.
McLeod-McKay also encouraged concerned Yukoners to follow up with LifeLabs so they can find out “sooner than later.”
“If Yukoners do find out that their personal health information is subject that that breach, including their health number, that they should probably monitor to a certain degree their health information that is in their records,” she advised, “because if somebody were to use their health card number for example to access care, it is possible that that information could then end up on their medical record and that would be a serious issue.”
In a follow-up interview Dec. 18, McLeod-McKay said she’s planning on working with HSS to figure out the next step for Yukoners whose health card numbers may have been compromised.
Contact Jackie Hong at jackie.hong@yukon-news.com