Canadian health data experts and class action lawyers say that a data ransom payment, after a massive security breach that potentially involves 15 million patients' electronic records, raises profound questions about the vulnerability of digital health information systems and the need for better prevention guidelines.
The security breach affected Toronto-based LifeLabs, one of world's largest medical testing companies that does over 100 million laboratory tests on Canadians annually. The breach was made public on Dec 17, 2019, when Chris Brown (CEO of LifeLabs) released an open letter to Canadians describing a “recently identified [a] cyber-attack that involved unauthorized access to our computer systems with customer information that could include name, address, email, login, passwords, date of birth, health card number and lab test results”. After offering a personal apology, Brown went on to explain that LifeLabs attempted to retrieve the data by making a ransom payment stating, ”we did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals”.
Responding to questions from The Lancet Digital Health, Chris Carson, Senior Vice President, Corporate Affairs, Strategy and Innovation at LifeLabs said, “it was a difficult decision to pay the ransom, but we believed that customers would want us to do everything possible to retrieve their data”.