LifeLabs data breach

On 17 December 2019, LifeLabs — Canada's largest provider of laboratory diagnostic testing — disclosed that cyber attackers had penetrated its systems and accessed the personal and health information of roughly 15 million customers, the overwhelming majority of them residents of Ontario and British Columbia. It remains one of the largest health-data breaches in Canadian history.

What happened

LifeLabs identified the unauthorized access on 28 October 2019 and notified the Ontario and B.C. privacy commissioners on 1 November. Rather than disclose immediately, the company spent several weeks working with outside cybersecurity and ransom-negotiation experts. It ultimately paid an undisclosed ransom to recover the data the attackers had extracted, before going public in mid-December.

The compromised systems held a sweeping set of fields: customer names, addresses, email addresses, login credentials and passwords, dates of birth, health-card numbers, and laboratory test results. For roughly 85,000 customers, lab results from 2016 or earlier were directly exposed. The identity of the attackers was never publicly established, and forensic firms reported no evidence the stolen data was later published or sold.

Regulatory findings

In June 2020, the Information and Privacy Commissioners of Ontario and British Columbia issued a joint investigation report concluding that LifeLabs had failed to take reasonable steps to safeguard personal health information, in violation of Ontario's Personal Health Information Protection Act and B.C.'s Personal Information Protection Act. The regulators found systemic shortcomings in LifeLabs' information-security posture.

LifeLabs fought for years to keep the report confidential, arguing portions were protected by solicitor-client privilege. It lost that battle, and the full report was published in November 2024 — more than four years after it was written — confirming the depth of the security failings.

Impact

Roughly 15 million customers had personal and health data accessed, primarily in Ontario and B.C.
LifeLabs paid a ransom of an undisclosed amount to retrieve the data.
A class-action lawsuit was settled for up to CA$9.8 million; with high claim volumes, individual claimants ultimately received only a few dollars each.
The company offered affected customers free credit monitoring and identity-theft protection.

Why it matters

The LifeLabs breach is a defining Canadian case study in the ethics and consequences of paying ransoms to protect sensitive health data, and in the limits of corporate transparency. The years-long fight to suppress the regulators' report — ultimately unsuccessful — reinforced the principle that organizations holding health data owe the public a full accounting when that trust is breached, and it informed subsequent debates over mandatory breach-disclosure timelines in Canadian privacy law.

Timeline

October 28, 2019

LifeLabs identifies unauthorized access to its information systems containing customer data.

November 1, 2019

LifeLabs reports the incident to the privacy commissioners of Ontario and British Columbia.

December 17, 2019

LifeLabs publicly discloses the breach, affecting roughly 15 million customers, and confirms it paid a ransom to retrieve the data.

June 25, 2020

Ontario and B.C. privacy commissioners issue a joint investigation report finding LifeLabs failed to protect personal health information.

October 1, 2023

Ontario Superior Court approves a class-action settlement worth up to CA$9.8 million.

November 29, 2024

The long-suppressed 2020 investigation report is published in full after LifeLabs loses a four-year legal bid to keep it confidential.

Sources

ipc.on.cahttps://www.ipc.on.ca/en/media-centre/news-releases/commissioners-publish-2020-investigation-report-lifelabs-privacy-breach-affecting-millions-canadians

thehackernews.comhttps://thehackernews.com/2019/12/lifelabs-data-breach.html

cbc.cahttps://www.cbc.ca/news/canada/british-columbia/lifelabs-cyberattack-15-million-1.5399577

cbc.cahttps://www.cbc.ca/news/canada/british-columbia/lifelabs-data-breach-report-1.7393107

globalnews.cahttps://globalnews.ca/news/10396877/lifelabs-class-action-settlement-canada/

Related incidents

RansomwareResolvedDecember 18, 2022

SickKids hospital ransomware attack

Toronto's Hospital for Sick Children was hit by a ransomware attack over the December 2022 holidays that delayed lab and imaging results; in a rare move, the LockBit gang apologized, blamed a rogue affiliate, and released a free decryptor.

Victim: The Hospital for Sick Children (SickKids)

RansomwareResolvedOctober 30, 2021

Newfoundland and Labrador health-system cyberattack

A Hive ransomware attack on Newfoundland and Labrador's health-care network crippled IT systems across the province, forcing the cancellation of thousands of appointments and procedures in what officials called the worst cyberattack in Canadian history.

Victim: Newfoundland and Labrador Centre for Health Information / Eastern Health

RansomwareOngoingApril 21, 2026

Sterimed: internal files published after a cyberattack

On 21 April 2026, French medical-packaging manufacturer Sterimed was claimed by the Qilin ransomware group, which published internal files — technical documents, project data, HR records, IT-security material and system backups — on its dark-web leak site.

Victim: Sterimed

RansomwareContainedApril 6, 2026

YMED (SOONCARE): 253,000 patients exposed, 132 GB of medical data exfiltrated

On 6 April 2026, Bordeaux-based healthcare software publisher YMED, which runs the SOONCARE® appointment platform, was hit by an extortion attack claimed by the group XP95, which exfiltrated 132 GB of data covering 253,342 patients and over 431,000 medical files.

Victim: YMED (SOONCARE)
Records: 253.3K