Skip to content

LifeLabs doesn't want privacy commissioner to see report on cyberattack

Lab-testing company wants to block B.C.'s information and privacy commissioner from getting a report into incident last fall
lifelabs
LifeLabs has four clinics in Kamloops — two downtown, one in Aberdeen and this location in North Kamloops, in the Library Square complex. According to the company, hackers gained access to the computer system that held customer information from 2016 and earlier that could include names, addresses, email addresses, login user names and passwords, dates of birth, health card numbers and lab test results. The access was accompanied by a ransom demand, which LifeLabs paid. The company has set up a dedicated phone line and information on its website for those affected by the breach. To find out more, go online to customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.

LifeLabs has filed a petition in B.C. Supreme Court, seeking to prevent the commissioners from getting the report written by CrowdStrike, a cybersecurity firm, after the October cyberattack. The petition says the report is protected by solicitor-client privilege and litigation privilege, and was created by the cybersecurity firm for and under the direction of lawyers for LifeLabs.

“Its purpose is to enable counsel to provide informed legal advice to LifeLabs, including in respect of civil litigation and the very investigation the commissioner is now undertaking,” says the petition. “Because the CrowdStrike report is privileged, the commissioner cannot compel its production.”

There have been at least five class-action lawsuits and a separate civil claim launched against LifeLabs since the company discovered there had been an unauthorized access to its computer system that stored information relating to up to 15 million of its customers, most of them in B.C. and Ontario.

Names, addresses, health-care numbers and, in some cases, lab reports of the customers may have been accessed during the cyberattack. LifeLabs provides general medical diagnostic and specialty lab-testing services.

After the attack was discovered, LifeLabs said it retained lawyers to provide advice about the legal risks and responsibilities it faced and to prepare for an investigation by the commissioner, as well as possible lawsuits. CrowdStrike was hired to determine the extent and manner of the cyberattack and identify any vulnerabilities in LifeLabs’ computer system, according to the petition.

The cybersecurity firm delivered a draft investigation report in January to the lawyers for the lab-testing company.

The privacy commissioners in B.C. and Ontario had in December launched a joint probe into the cyberattack and, on Feb. 7, they ordered LifeLabs to produce the report to them. The company responded by filing the petition.

“At all material times, CrowdStrike was using its cybersecurity expertise to assemble and explain factual information gathered from LifeLabs so that LifeLabs’ counsel could obtain a full picture of the facts and give advice based on that full picture,” says the petition. “Like accountants and fraud analysts, CrowdStrike was effectively a translator between the client and its solicitor.”

No response has yet been filed to the petition, which contains submissions that have not been tested in court.

A spokesman for the commissioner said that because there is an active investigation into the cyberattack, there would be no comment on the litigation. The spokesman added that the probe is continuing and that there is no indication when it will be completed.

LifeLabs has four clinics in Kamloops — two downtown, one in Aberdeen and one in North Kamloops.

Brown said LifeLabs took several measures to protect patient information following the cyberattack, including:

• immediately hiring “world-class cyber security experts” to isolate and secure the affected systems and determine the scope of the attack;

• further strengthening the company’s systems to deter future incidents;

• retrieving the data by making a payment, doing so in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals;

• engaging with law enforcement, who are investigating the matter;

• offering cyber-security protection services to LifeLabs patients, such as identity theft and fraud protection insurance.

LifeLabs has set up a dedicated phone line and information on its website for those affected by the breach. To find out more, the public should go online to customernotice.lifelabs.com or contact LifeLabs at 1-888-918-0467.

In January 2013, patient information for 16,100 Kamloops-area residents was on a computer hard drive that went missing as it was being transferred by LifeLabs to Burnaby from Kamloops