If you don’t live in Canada, you might not know that LifeLabs has a virtual monopoly on the lab business. If your doctor wants you to take a blood test, you go to LifeLabs.
Whomever broke into their systems knows a great deal about the private health information of a large fraction of Canadians.
Do they perform some back-office analysis function for Quebec's public health system, or is this get another way Quebec is different from the rest of Canada?
Here in Quebec we generally get our blood drawn for tests at a local public clinic called a CLSC, and can eventually view the results in a public government web system, but I'm not sure where the actual analysis happens.
From their website, it looks like they only operate in Ontario and BC, perhaps Saskatchewan. I certainly haven't seen one here in Alberta, unless they operate under a different name.
Well Quest but also LabCorp. If we go on employee count, then LabCorp would have the bigger hold. I can't tell if Sonora Quest and Bioreference are subsidiaries of either of these two larger companies.
One thing people propose is criminalizing paying ransoms. I feel like this is short minded in that it may prioritize hig value targets like hospitals. I don't have a good answer for how to avoid issues like criminals prioritizing health/ life companies. In general maybe raising the idea the targeting hospitals makes you less than human might help.
Why would criminalizing paying ransoms cause attackers to target hospitals? I would think hospitals would have a fairly strict compliance effort, whereas Joe Schmoe probably never even heard that it's illegal to pay a ransom.
we need instead to fix laws around sensible data handling and criminalise it/managers that skirt around them, current laws are too vague, outdated and don't provide enough reparations to get people whose data was compromised to actually litigate them
Just a few months ago I had to take a series of tests with LifeLabs (blood, urine, physical, etc) to update my immigration papers. Did you know you cannot choose where to take these tests? You are more or less forced to use LifeLabs because the doctors designated by the IRCC (Immigration, Refugees and Citizenship Canada) only partner with LifeLabs to do these tests, it’s an ugly monopoly that is impossible to fight as an immigrant. I knew, from the moment I walked in the laboratory, all the information I was handing and the data they were going to find was going to be leaked sooner than later.
I have tried more than once to make secretaries, assistants and nurses to understand how bad most of their systems are and how easy it is to expose the information of all their patients to malicious actors, but arguing with them is pointless because they barely understand what I am talking about or do not have the power to change anything. And the worst thing is, I have to visit LifeLabs again next month for another physical checkup and to take some X-rays and these news will not change anything.
Side note…
I used to work as a malware researcher for a security information company in the US. One day I remembered the story of Sisyphus:
> In Greek mythology Sisyphus was the king of Ephyra (now known as Corinth). He was punished for his self-aggrandizing craftiness and deceitfulness by being forced to roll an immense boulder up a hill only for it to roll down when it nears the top, repeating this action for eternity — https://en.wikipedia.org/wiki/Sisyphus
I ended up quitting my job no long after reading this story because it made me realize I was fighting an endless fight.
There's something in this story that doesn't ring true.
You knew from the moment you walked into the laboratory that their data handling practices were inadequate and prone to being hacked/leaked. How?
You tried to explain this to their secretaries and nurses. Why bother when it's obvious they can't/won't do anything about it? Why not contacting their management or IT?
> You knew from the moment you walked into the laboratory that their data handling practices were inadequate and prone to being hacked/leaked. How?
The laboratory is divided into small rooms where the patient talks with the nurse and/or doctor, each room looks something like this [1] along with a computer that is connected to whatever system LifeLabs uses. When I arrived for my appointment the nurse left me alone in the room for approximately 15 minutes, the computer was on, and the user session (which I believe was created using the doctor’s credentials) was still alive, I could have done a lot with that computer while the nurse was outside checking the other patients.
Later, the doctor came to do the initial physical checkup and then left for another 10-15 minutes to talk with another nurse. This gave me more time to “snoop around” and in fact, I took the opportunity to take a picture of the computer screen [1]. Ironically, you can see in the picture that the doctor uses a Post-it Note to cover the webcam, which means they do care about their privacy but not the privacy of their patient’s.
You may think “this is not LifeLabs fault but the doctor’s fault” but this is how social engineering works and as people say “A chain is only as strong as its weakest link”.
> You tried to explain this to their secretaries and nurses.
> Why bother when it's obvious they can't/won't do anything about it?
> Why not contacting their management or IT?
Yes, good point, but this doesn’t disprove the rest of my anecdote.
To be fair to life labs, at least they don’t dox you aloud to an entire waiting room.
I witnessed that happen to a few prominent financiers in Toronto while I was getting some bloodwork done. It was terrifying within about 5 minutes I had all the personal information I’d need to do some seriously nefarious things.
This happens on most every occasion I visit a clinic in Canada. Nurses and secretaries do not care.
Happens in the US too. As I was waiting for my doctor's appointment, I was just listening to the secretary call up patients to obtain payments. She was just reading out their credit card information out loud. I was honestly tempted to just take one down then call the credit card company to let them know it was compromised.
I like to think of Sisyphus a bit like someone waiting in line for a rollercoaster or a ski lift. The pushing is a slog, but then you reach the top and WOW BOOOM the rock cascades down the hill and it's AWESOME! Time to start pushing it back up again.
Yes yes I know Sisyphus is a metaphor for the pointlessness of life - but that doesn't mean you have to take it at face value.
> The pushing is a slog, but then you reach the top and WOW BOOOM the rock cascades down the hill and it's AWESOME!
In the original myth the rock rolls down alright, but it rolls down over our hero and then he has to go down and push it back up again knowing what will happen.
> You are more or less forced to use LifeLabs because the doctors designated by the IRCC (Immigration, Refugees and Citizenship Canada) only partner with LifeLabs to do these tests, it’s an ugly monopoly that is impossible to fight as an immigrant.
The other main option is Dynacare. Besides those two, who else is there? Both have built up convenient infrastructure where results are fed back into doctors' EHR systems.
I wouldn't be against more competition, but it seems that there are certain economies of scale that make bigger more efficient:
>Did you know you cannot choose where to take these tests?
Welcome to the Canadian Healthcare system. It's free, but not without issue, even ignoring the long wait times and inability to get a doctor in most places in the country.
Did you know I'm not allowed to go get my blood tested privately, even if I pay for it? That I require a requisition from a doctor (which I don't have, so I have to go to a walk-in clinic and take up the time of a doctor who could care less what they are signing)? And that the results then get shared back with said doctor, who's discretion it is what data he shares with me? It's bizarre.
I often see Americans pointing to Canada's system as a shining example. I mean, sure, we don't have crushing medical debt, which is AWESOME. But our healthcare system has so many problems itself...
If you're bio-hacking, taking steroids for `recreation' and monitoring testosterone, just curious, etc, it does seem reasonable that you should be able to pay for and get your own tests. There are options that facilitate that, though it's a burgeoning market given that the overwhelming majority are ordered, and paid for, through the public system.
Allowing private access to healthcare is a slippery slope. Anyone paying for a service is someone who is also taking the place of someone using that service as a basic right.
I'm not saying it shouldn't be an option for blood tests in particular (as is your example) but there are multiple things to consider when you start opening those up to anyone willing/able to pay.
No normal user of the system is mandated to use any particular lab provider -- a doctor gives you a requisition form and you bring it wherever you want. There aren't that many options, generally, but there are as many as the market will bear (and as new upstarts grow they get swallowed up by the incumbents). This particular person's issue has to do with immigration.
Do you really think a walk-in doctor "could care less"? What a ridiculous statement. They're just as professionally governed and concerned as any doctor.
"Did you know I'm not allowed to go get my blood tested privately"
There are private blood testing services in Canada, though it's a small market given that the workflow of labs is overwhelmingly geared towards the public market. Most labs will happily provide you your own blood test results (a cursory search of both LifeLabs and Dynacare, two of the most common, show their patient portals).
"I often see Americans pointing to Canada's system as a shining example"
Canada is almost always the punching bag for the US -- usually based upon lies or the singular complainer, for instance I and my family have had a family doctor everywhere we've lived, have always had a great experience, etc -- and of course -- like every complex system in the world -- it has flaws. But it isn't as good as France's system, or a couple of others.
“For customers who are concerned, LifeLabs has offered to cover one year of data protection that includes dark web monitoring as well as identity theft insurance.”
That’s it? If I was Canadian I’d want to see execs going to jail and or their contract yanked. If they switched over to using a webapp or chromeos on the desktop things would probably be much more secure.
But that’s not going to happen, cuz it’s owned by the pension system.
Yeah, it's disgusting. I'm not sure how "1 year" of "fraud protection" coverage and the like became the defacto response of corporations who suffer breaches.
Also wonder how motivated they are to do security right if insurance covers it: In an interview, LifeLabs CEO Charles Brown said the company had purchased cyberinsurance, but did not provide details on the coverage.
It makes me sad to see Marriott, Equifax and others skipping along with stocks at near record highs and little long-term impact from their incidents.
The whole "one year of data protection" thing is always a joke. It's not like my demographic information changes every year. There's a reason those sorts of records are worth so much on the black market—they're incredibly durable.
To go where? Socialized healthcare creates monopolies. There are few competitors. You trust your data more to some upstart entity that doesn't yet exist?
There needs to be consequences or there will never be progress in cybersecurity. These guys leaked the most private data of every second Canadian, the CEO needs to criminally prosecuted and there needs to be financial consequences proportional to this catastrophe.
Canadian here and one who has records potentially leaked.... In terms of reaction, I dunno... It depends where on the spectrum of
We kept our "passwords on sticky notes on Windows XP monitors" to "We did everything industry best practices and then some" did they fall into.... I havent seen anything with respect to technical details.
Reading the official news release [1], the cynic in me thinks the wording of just "password" indicates that these were plain text passwords. From my experience, when the passwords are hashed/salted, the companies make it a point to include that.
I think the big concern is the presumption of a non-techie that a medical company would take good care of their information, because of regulations, etc.
I would not be surprised if a LOT of Lifelabs customers used the same password on their Lifelabs accounts that they use for their email. FWIW, Lifelabs has two sub-sites that use different credentials - one for test results, and one for booking appointments.
The numbers: 15 million people in a country of 37 million had personal information "potentially accessed in this breach." In several provinces, LifeLabs is dominant and sometimes the only option for lab work.
Concerned Canadians could/should contact their government about this incident. I don't have a deep link but assume it's buried in this maze: https://www.priv.gc.ca/
Any cyber security firm that says the risk of a hackers not leaking data because they got paid a ransom, is one that should be blackballed for negligence at best, and fraudulent collusion at worst.
I wonder if medical test results (which I think could include STDs and chronic conditions) were included in the data breach? The downside of EMR is that they can get hacked. If so that can be incredibly personal information and way more serious than the usually the name, birth date and VISA numbers.
I guess in the future with all these data breaches one will be able to get any private information on just about anyone by paying for it on the dark net. Basically there will be darknet data brokers who basically have unlimited inventory of information because they aggregate from the various data breaches.
Will people get spam calls from a call center in a low cost country that bring up your test results from LifeLabs and threaten to share them with your employer or significant other unless you pay up?
If not now, this will be happening in the near future.
This breach seems to be downplayed because it affects the integrity of the entire health system. If medical blood test result data ends up on the dark web, people may likely be able to look up the following about us:
- if you have a condition that puts you at higher risk for receiving disability or workers compensation.
- if you have been pregnant and when.
- if you got tested for an STD because you thought you needed to, and the frequency of your testing.
- if you have an STD and around when you contracted it.
That's without getting into specifics around medications, and the greater harm of people not getting tests done because they do not trust the privacy and security of the health system. These are typical threat model use cases in health information privacy assessment and systems design.
In terms of consequences, the disclosure risk of this information can break up families and households, and silently disqualify people from jobs, both of which put their kids at a long term disadvantage, destroys familial wealth and assets, and in effect impoverishes everyone involved.
Once the gravity of this sinks in, I'd be concerned for the mental health of the CEO.
interested in more info about them actually paying the ransom. Not that common a reaction in these corporate/public sector breaches I don't think.
How much did they pay? Was it brokered or direct?
Is anyone surprised they actually got the data back?
Why are they convinced the 'hackers' won't still do anything with it.
Reporting is weak on this as it doesn't say straight out ransomware that encrypted machine with data. That it likely came from any random email that someone opened. Not that there's some evil hacker person on the other end targetting LifeLabs and it could and does happen to anyone.
52 comments
[ 3.7 ms ] story [ 100 ms ] threadWhomever broke into their systems knows a great deal about the private health information of a large fraction of Canadians.
Here in Quebec we generally get our blood drawn for tests at a local public clinic called a CLSC, and can eventually view the results in a public government web system, but I'm not sure where the actual analysis happens.
I have tried more than once to make secretaries, assistants and nurses to understand how bad most of their systems are and how easy it is to expose the information of all their patients to malicious actors, but arguing with them is pointless because they barely understand what I am talking about or do not have the power to change anything. And the worst thing is, I have to visit LifeLabs again next month for another physical checkup and to take some X-rays and these news will not change anything.
Side note…
I used to work as a malware researcher for a security information company in the US. One day I remembered the story of Sisyphus:
> In Greek mythology Sisyphus was the king of Ephyra (now known as Corinth). He was punished for his self-aggrandizing craftiness and deceitfulness by being forced to roll an immense boulder up a hill only for it to roll down when it nears the top, repeating this action for eternity — https://en.wikipedia.org/wiki/Sisyphus
I ended up quitting my job no long after reading this story because it made me realize I was fighting an endless fight.
You knew from the moment you walked into the laboratory that their data handling practices were inadequate and prone to being hacked/leaked. How?
You tried to explain this to their secretaries and nurses. Why bother when it's obvious they can't/won't do anything about it? Why not contacting their management or IT?
The laboratory is divided into small rooms where the patient talks with the nurse and/or doctor, each room looks something like this [1] along with a computer that is connected to whatever system LifeLabs uses. When I arrived for my appointment the nurse left me alone in the room for approximately 15 minutes, the computer was on, and the user session (which I believe was created using the doctor’s credentials) was still alive, I could have done a lot with that computer while the nurse was outside checking the other patients.
Later, the doctor came to do the initial physical checkup and then left for another 10-15 minutes to talk with another nurse. This gave me more time to “snoop around” and in fact, I took the opportunity to take a picture of the computer screen [1]. Ironically, you can see in the picture that the doctor uses a Post-it Note to cover the webcam, which means they do care about their privacy but not the privacy of their patient’s.
You may think “this is not LifeLabs fault but the doctor’s fault” but this is how social engineering works and as people say “A chain is only as strong as its weakest link”.
> You tried to explain this to their secretaries and nurses.
> Why bother when it's obvious they can't/won't do anything about it?
> Why not contacting their management or IT?
Yes, good point, but this doesn’t disprove the rest of my anecdote.
[1] https://en.wikipedia.org/wiki/Doctor%27s_office
[2] https://i.imgur.com/c0tXTEK.png
I witnessed that happen to a few prominent financiers in Toronto while I was getting some bloodwork done. It was terrifying within about 5 minutes I had all the personal information I’d need to do some seriously nefarious things.
This happens on most every occasion I visit a clinic in Canada. Nurses and secretaries do not care.
Not sure what the solution is.
Yes yes I know Sisyphus is a metaphor for the pointlessness of life - but that doesn't mean you have to take it at face value.
or perhaps that the work itself is the reward
In the original myth the rock rolls down alright, but it rolls down over our hero and then he has to go down and push it back up again knowing what will happen.
The other main option is Dynacare. Besides those two, who else is there? Both have built up convenient infrastructure where results are fed back into doctors' EHR systems.
I wouldn't be against more competition, but it seems that there are certain economies of scale that make bigger more efficient:
* https://healthydebate.ca/2015/02/topic/private-medical-labs-...
* https://toronto.citynews.ca/2017/12/22/lab-industry-need-ove...
Side note: LifeLabs is owned by the OMERS pension fund.
Welcome to the Canadian Healthcare system. It's free, but not without issue, even ignoring the long wait times and inability to get a doctor in most places in the country.
Did you know I'm not allowed to go get my blood tested privately, even if I pay for it? That I require a requisition from a doctor (which I don't have, so I have to go to a walk-in clinic and take up the time of a doctor who could care less what they are signing)? And that the results then get shared back with said doctor, who's discretion it is what data he shares with me? It's bizarre.
I often see Americans pointing to Canada's system as a shining example. I mean, sure, we don't have crushing medical debt, which is AWESOME. But our healthcare system has so many problems itself...
I'm not saying it shouldn't be an option for blood tests in particular (as is your example) but there are multiple things to consider when you start opening those up to anyone willing/able to pay.
Do you really think a walk-in doctor "could care less"? What a ridiculous statement. They're just as professionally governed and concerned as any doctor.
"Did you know I'm not allowed to go get my blood tested privately"
There are private blood testing services in Canada, though it's a small market given that the workflow of labs is overwhelmingly geared towards the public market. Most labs will happily provide you your own blood test results (a cursory search of both LifeLabs and Dynacare, two of the most common, show their patient portals).
"I often see Americans pointing to Canada's system as a shining example"
Canada is almost always the punching bag for the US -- usually based upon lies or the singular complainer, for instance I and my family have had a family doctor everywhere we've lived, have always had a great experience, etc -- and of course -- like every complex system in the world -- it has flaws. But it isn't as good as France's system, or a couple of others.
That’s it? If I was Canadian I’d want to see execs going to jail and or their contract yanked. If they switched over to using a webapp or chromeos on the desktop things would probably be much more secure.
But that’s not going to happen, cuz it’s owned by the pension system.
Also wonder how motivated they are to do security right if insurance covers it: In an interview, LifeLabs CEO Charles Brown said the company had purchased cyberinsurance, but did not provide details on the coverage.
It makes me sad to see Marriott, Equifax and others skipping along with stocks at near record highs and little long-term impact from their incidents.
To go where? Socialized healthcare creates monopolies. There are few competitors. You trust your data more to some upstart entity that doesn't yet exist?
[1] https://www.lifelabs.com/lifelabs-releases-open-letter-to-cu...
I would not be surprised if a LOT of Lifelabs customers used the same password on their Lifelabs accounts that they use for their email. FWIW, Lifelabs has two sub-sites that use different credentials - one for test results, and one for booking appointments.
I'm confused, how do you pass from "proactive surveillance" to "there's a ransom to pay"?
Here is the CEO's letter to those 15 million or so victims: https://customernotice.lifelabs.com
Concerned Canadians could/should contact their government about this incident. I don't have a deep link but assume it's buried in this maze: https://www.priv.gc.ca/
I guess in the future with all these data breaches one will be able to get any private information on just about anyone by paying for it on the dark net. Basically there will be darknet data brokers who basically have unlimited inventory of information because they aggregate from the various data breaches.
Will people get spam calls from a call center in a low cost country that bring up your test results from LifeLabs and threaten to share them with your employer or significant other unless you pay up?
If not now, this will be happening in the near future.
- if you have a condition that puts you at higher risk for receiving disability or workers compensation.
- if you have been pregnant and when.
- if you got tested for an STD because you thought you needed to, and the frequency of your testing.
- if you have an STD and around when you contracted it.
That's without getting into specifics around medications, and the greater harm of people not getting tests done because they do not trust the privacy and security of the health system. These are typical threat model use cases in health information privacy assessment and systems design.
In terms of consequences, the disclosure risk of this information can break up families and households, and silently disqualify people from jobs, both of which put their kids at a long term disadvantage, destroys familial wealth and assets, and in effect impoverishes everyone involved.
Once the gravity of this sinks in, I'd be concerned for the mental health of the CEO.
Is anyone surprised they actually got the data back? Why are they convinced the 'hackers' won't still do anything with it.
Reporting is weak on this as it doesn't say straight out ransomware that encrypted machine with data. That it likely came from any random email that someone opened. Not that there's some evil hacker person on the other end targetting LifeLabs and it could and does happen to anyone.