British Columbia and Ontario are working together to investigate a cyberattack on Lifelabs.

The attack possible breached the private data of up to 15 million people. LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services.

The company reported a potential cyberattack on November 1st to the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia and confirmed it not long after.

Lifelabs didn’t publicly announce the attack until today. The company says it is working to let the people affected by the breach know. The affected systems contain things like names, addresses, emails, customer logins and passwords, health card numbers and lab tests.

Those responsible for the attack demanded a ransom from Lifelabs and the company has retained outside cybersecurity consultants to investigate and assist with restoring the security of the data.

The co-ordinated IPC/OIPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it and what, if any, measures Lifelabs could have taken to prevent and contain the breach as well as investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.

“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” said Brian Beamish, information and privacy commissioner of Ontario. “Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and health-care organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”

Michael McEvoy, information and privacy commissioner for B.C. said, “I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected. Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”

The IPC and OIPC are reaching out to the information and privacy commissioners of other jurisdictions with affected customers.

LifeLabs has set up a dedicated phone line and information on its website for individuals affected by the breach. To find out more, you can visit customernotice.lifelabs.com or calls LifeLabs at 1 888 918-0467.