After hack, Canadian LifeLabs paid ransom for 15M+ customers' health data

Originally published at: https://boingboing.net/2019/12/18/after-hack-canadian-lifelabs.html

The combination of the ransom paid and publicity of this huge attack will create a surge in ransomware attacks and “success stories.”

Your healthcare data is worth a lot to hackers and you (the patient) have every right to demand your doctor, dentist, chiro etc… are doing the right things to protect your data. Don’t put up with doctors who have shit security. Demand better.

3 Likes

Fucking lifelabs.

They had old information for a member of my family and refused to remove it, even on request, citing security compliance issues. And now, this.

9 Likes

15M customers, for Canada, is huge. How does the ransom payoff work, the anonymous hackers promise to delete their copy of the data? And they get trusted on their word?

2 Likes

Yeah, that is exactly how ransomware works.

They typically will encrypt your data in place, on your own harddrive and networked locations and then sell you back the key to regain access to it.

The trouble is, once they have access to your disks and network locations you have no way of knowing what else they might do. So there is a very good chance they took a copy of your files and will sell them again on the darkweb in the future. It’s win-win for the hacker.

3 Likes

was the data ransomed already encrypted?

If not that little chlamydia thing from 2001 was clearly someone else using my medicare number without my permission. yup

1 Like

The worst thing to happen to BCBiomedical was getting bought out by LifeLabs.

Things went downhill fast.

3 Likes

… isn’t the data digital? Couldn’t copies have been made?

Yeah. This.

Boy, if only they would privatize their medical system like the good ol’ USA, they wouldn’t be in this pickle. Plus after squeezing their citizens, they would have a lot more money to pay off future ransoms. And once they are truly humongous, they could pivot to just not caring. Win-win. /s

Lifelabs has pretty much taken over the private medical laboratory business here in BC, not sure about the rest of Canada.

I’m sure the hackers will make good use of the results of my blood tests etc. that have happened over the years. Of course I don’t have anything that I wouldn’t want getting out. I can think of many people who would have very legitimate reasons to want to keep their lab results private.

I have so many questions…

Wouldn’t an offsite backup foil such an attack? Sure, the hackers would have the data, but it at least wouldnt be missing. And after they pay the ransom, dont the hackers still posess what they’ve stolen?

True, but also what’s especially damning about this incident: classic ransomware does data denial in-place(likely more out of practicality than benevolence; bulk exfiltration can be tricky and forces you to operate your own storage infrastructure; while cryptography requires extremely minimal network traffic and leaves the victim handling the storage of everything except the key they desperately need); which, for all its downsides, does offer a nontrivial degree of verifiability; both with respect to the “did they give my data back or did they stiff me?” question and the “are there now at least two copies of my data, all but one wholly at the mercy of known malicious actors?”

In this case the attackers apparently did actually exfiltrate the records, not just munge them in place; and once that happens the answers to both those important questions get rather less reassuring; especially the latter one. Subtle and plausible data tampering is challenging, but a great deal easier to do when you have some unsupervised hands-on time with the only copy, rather than having to implement your modifications entirely in a malware payload that needs to be unobtrusive and independent to the degree possible. Demonstrating the difference between providing a copy of the data and scrubbing all yours and merely providing a copy of the data and then hanging on to your copy(s) is essentially impossible.

It’s not like criminals are required by their professional licensing association to faithfully implement Digital Wrongs Management technology (“Trusted Clients for Untrusted People™®”) that prevents data from being illicitly copied more than once(actually pretty much what the old ‘Serial Copy Management System’ was supposed to do to keep DAT piracy away); so once they have a copy it’s more or less profoundly negligent to assume anything other than retention and exploitation of it.

Well as someone who has been on a priority waiting list to have a family doctor in my county for 5 months, I’d be happy just to have a doctor. I have no choice on their security measures. My last doctor’s office couldn’t figure out how to send an e-mail, or work their booking system, so I don’t think cyber security is a priority.

Lifelabs muscled out the non hospital labs in my old region of Ontario. Last couple times I needed tests done they kept trying to push their premium online service where you can pay to log in and see your results without going through your doctor. I am assuming this service is what was ransomwared as the article says names and passwords were affected. I’m glad I didn’t sign up for it.

I wish that they’d be a little more specific. Was it all the test files or just the ones where someone had created an online account? (Created an account for mom last week because you can’t book appointments by telephone.)

15M customers, for Canada, is huge. How does the ransom payoff work, the anonymous hackers promise to delete their copy of the data? And they get trusted on their word?

Joe_Kickass

Yeah, that is exactly how ransomware works.

They typically will encrypt your data in place, on your own harddrive and networked locations and then sell you back the key to regain access to it.

The trouble is, once they have access to your disks and network locations you have no way of knowing what else they might do. So there is a very good chance they took a copy of your files and will sell them again on the darkweb in the future. It’s win-win for the hacker.

=============

OK so since what he describes is not in reference to what you then natter on about how is that exactly how it works?

heres the thing. if someone is stupid enough to run a malicious bit of code on an unprotected network then the whole thing can be encrypted for ransom without a single bit of data downloaded by the ransomers. malicously executed code can do quite a lot of combinations of bad acts but none are to be assumed. but here is what the news media is saying in a very stupid way. they are not saying that it was encrypted with a password so that Lifelabs couldn’t access it ALA the usual way ransoms are done. Lifelabs is acting as if it was stolen and they “got it back” which is ridiculous to say because if its stolen then yes, infinite copies can be made.

Lifelabs is offering no info on what happened they are obfuscating really really hard. the media is just sitting there with their thumbs in their butts letting it play out as Lifelabs wants. its really pissing me off.

This topic was automatically closed after 5 days. New replies are no longer allowed.