Skip to content
Join our Newsletter

Monique Keiran: Hacking our health care is big business, apparently

The website for My eHealth, the online portal that allows B.C.
0126-keiran
According to a study published last year in the Annals of Internal Medicine, health-system hackers are less interested in sensitive medical information. What they tend to target is data that facilitate identity theft and financial fraud.

The website for My eHealth, the online portal that allows B.C. residents to access their medical lab-test results, asserts My eHealth is a “free, secure service that allows you to access results online and book appointments at LifeLabs to reduce wait times.”

The site’s security page reads: “We are committed to protecting your personal information; both the information you provided to create your account and the reports you access online. To prevent unauthorized access, LifeLabs employs industry best practices, employs resources specifically dedicated to privacy and security, and undergoes periodic audits by third-party security companies.”

It goes on: “The security of your personal information is essential to our delivery of our website. LifeLabs uses industry standard security practices to protect your personal information from unauthorized access, use or disclosure.”

Fighting words. But after hackers breached LifeLabs’ systems late last year, British Columbians, Ontarians, and other users would be right to question the security of all services and sites linked to the company. As indicated in the webcopy, LifeLabs — Canada’s largest provider of lab-test diagnostics — controls My eHealth.

On Nov. 1, the company informed B.C.’s and Ontario’s privacy commissioners that hackers had penetrated its systems, extracted the data of about 15 million people and demanded a ransom. About 10 million Ontarians and five million B.C. residents were affected.

Officials said the breach also included lab results of about 85,000 customers, and health-card information from 2016 or earlier. However, some of the stolen information is 2019 data related to a server where people could book an appointment online.

A recent email from LifeLabs says: “Our investigations indicate that the cyber-attack involved potential access to LifeLabs’ old online appointment booking system, but did not involve access to the new My eHealth patient portal used to access test results.”

LifeLabs does about one-third of all diagnostic tests for the B.C. health system, amounting to 34 million procedures in 2018. The company holds a vast amount of information about most British Columbians.

Some of that information is highly sensitive. In addition to the routine tests for cholesterol, blood sugar, iron, thyroid and so on, it includes results of pregnancy tests and tests for sexually transmitted diseases, illegal-drug and alcohol screenings, and genetic testing.

Nobody wants that kind of information finding its way to, for example, one’s boss or the creepy neighbour down the hall.

However, according to a study published last year in the Annals of Internal Medicine, health-system hackers are less interested in sensitive medical information. What they tend to target is data that facilitate identity theft and financial fraud. The researchers reported that, in more than 70 per cent of approximately 1,450 health-care database breaches from the past decade, cybercriminals targeted sensitive demographic and financial information, such as social security and driver’s-licence numbers, birth dates, and credit card and banking information.

That’s where the money is.

Although LifeLabs paid the ransom demanded by the criminals, there are no guarantees the hackers won’t sell the sensitive demographic data they extracted — names, addresses, emails, customer logins and passwords, dates of birth, health-card numbers and, for some customers, lab tests — from the company’s systems. Paying the ransom gave LifeLabs access back into its own systems, but it doesn’t mean LifeLabs customers are safe from identity theft or fraud as a result of the hack.

LifeLabs is offering concerned customers one year of free credit protection, dark-web monitoring and identity theft insurance from American consumer credit reporting agency TransUnion.

The company is also facing several civil lawsuits in B.C., and may be facing class-action lawsuits in both B.C. and Ontario, as a result of the hack.

Those are the costs of not keeping data secure. According to IBM Security’s 2019 Cost of a Data Breach Report, a data breach can now cost the average business up to $3.92 million US. The financial impact, which can include the hiring of third-party cyberforensics firms, legal costs, rapid investments in security, and compensation payments and government-issued penalties, is often felt for years after the breach.

Hacking health care is big business.