Canada-based LifeLabs notified 15 million patients on December 17 that their personal information relating to healthcare, including name, address, email, login, passwords, date of birth, healthcare number, and lab test results, may have been accessed without authorization. Most of those affected reside within British Columbia and Ontario.
Fortunately, there's little indication that attackers accessed the data. As LifeLabs president and CEO said in the company’s data breach announcement: "I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”
According to a report from HealthITSecurity, LifeLabs paid the attackers so that they could retrieve the data regarding the 15 million patients affected, which is a controversial response to ransomware attacks. “LifeLabs assurances that the data does not appear to have been shared online anywhere, including the dark web, seem extremely optimistic,” Ray Walsh, digital privacy advocate at ProPrivacy, said in an emailed to HealthITSecurity. "Paying hackers for ransomed data is an extremely dubious affair, and the potential for that data to be sitting on the hacker's hard drive waiting to be sold online at some point in the future is extremely problematic because this could happen tomorrow, next week, or in a year's time," he continued.
Shortly after the public breach disclosure, a class-action lawsuit against LifeLabs was announced. According to The Star, the suit, “filed on behalf of five plaintiffs, including Toronto lawyer Christopher Sparling, the suit is seeking over $1.13 billion in potential damages due to alleged negligence in safeguarding customer data, as well as an additional $10 million in punitive damages.”
On December 18, Sinai Health System announced that the Chicago, Illinois-based health system became aware of a potential data security incident that may have resulted in the exposure of some of the patients' personal and health information. The breach was discovered on October 16 by forensic examiners who determined that patient information could be at risk of unauthorized access to two employee email accounts. According to Sinai’s statement, “experts performed an investigation and found no evidence that any patient information was removed from the Sinai Health System's email accounts or systems. Further, Sinai is not aware of any misuse of any patient's information and has seen no indication that any patient's information is in the hands of someone it should not be as a result of this incident.”
The information that could have been in the two email accounts includes patients' names, addresses, dates of birth, Social Security numbers, health information, or health insurance information. Sinai encouraged patients, in their statement, to review the letters that are being mailed for steps they can take to protect their data.
Within a day of the Sinai data breach announcement, boutique litigation law firm Federman & Sherwood announced it had initiated an investigation into Sinai Health System relating to a data breach. Federman & Sherwood has been previously appointed counsel in several data breach cases.
2019 turned out to be a year with a sizable amount of healthcare-related data breaches, including Quest Diagnostics, which notified nearly 12 million patients about a data breach that occurred within one of its billing collections providers. And employees at Oregon's Department of Human Services fell victim to a phishing email that could have exposed 645,000 records.
According to a report from CRN, more than 137 million records were exposed in the ten biggest data breaches in 2019, with six of the ten largest incidents occurring at medical or healthcare organizations.