A data breach at Canadian clinical laboratory services provider LifeLabs has exposed the records of up to 15 million patients, but in an interesting twist, the company paid those behind the hack for the stolen data to be returned.

The hack took place in October and involved customer names, addresses, emails, logins, passwords, date of birth and health card numbers. Some 85,000 lab results were stolen as well.

How the attack took place or who was responsible for it was not disclosed. In regulatory filings today, the attack is described as involving cybercriminals penetrating the company’s systems, extracting data and demanding a ransom.

In an open letter to LifeLab customers, Chief Executive Officer Charles Brown apologized for the data breach. He said the company had engaged cybersecurity experts to isolate and secure the affected systems and took other measures to strengthen systems to deter future incidents.

Where the letter gets interesting is that Brown wrote that one of those measures included retrieving the stolen data by making a payment. “We did this in collaboration with experts familiar with cyber-attacks and negotiations with cybercriminals,” Brown wrote. How much was paid out was not disclosed.

Affected customers are being offered a free one-year subscription to a service that includes monitoring for activity on dark web, a shady part of the internet reachable with special software, and identity theft insurance.

Concerns have been raised as to why its disclosure took so long. British Columbia was informed of the data breach Oct. 28. Asked by the CBC why both the company and the province sat on the information until now, British Columbia Health Minister Adrian Dix said that there was some concern about secondary attacks.

“Naturally, all of us would have wanted immediately for people to be informed, as quickly as possible,” Dix said. “The only reason there was a delay was to ensure that information that hadn’t been compromised wouldn’t be compromised and that information that could be protected would be protected.”

Irfahn Khimji, country manager for Canada at the cybersecurity firm Tripwire Inc., told SiliconANGLE that many breaches have hit Canadians this past year”and that “this latest one hits a little closer to home because it involves medical records.

“While some of the information compromised cannot be changed, there is some due diligence that consumers can take,” Khimi said. “If one’s login credentials used to access the LifeLabs portal are used on other sites, it is a good idea to change those passwords as well as consider using a password manager moving forward. Where possible, it is also a good idea to enable multifactor authentication.”

Photo: LifeLabs