TORONTO – Medisys Health Group and its subsidiary Copeman Healthcare claim they paid an unspecified ransom to recover the personal information of around 60,000 customers after detecting a security breach on August 31.
An email from Medisys head office in Montreal says privacy officials were notified on September 4, four days after the breach was discovered, and began notifying customers last week.
They say the hackers obtained demographic information, such as age and addresses, and some personal health numbers, but not financial information or social insurance numbers.
In some cases, test results, consultation reports, and prescription information were obtained but recovered after a ransom was paid.
The websites of Medisys and Copeman – which say they are owned by Telus – say their security consultants paid the ransom and confirmed that the hackers did not tamper with the data.
However, cybersecurity experts claim that there is a black market for personal information that can be bought, sold and traded by criminal organizations.
Companies are offering affected customers free identity theft protection for five years from a commercial vendor – a common response when businesses are hacked.
“We apologize for any inconvenience and would like to assure our customers that we do not think there is cause for concern.” a website notice says.
The Office of the Federal Privacy Commissioner of Canada said in an email that it was in constant communication with Telus.
“Given the potential severity of the breach, we are seeking more information to determine next steps,” said Valarie Lawton for the Office of the Privacy Commission.
An email from the BC Privacy Commissioner confirmed she was investigating, but was unable to provide further comment.
Their Ontario counterpart said he was working with Medysis “to determine the scope and circumstances of the violation. Until we do, we have no more details to share at this time. “
The Medisys Health Group website, which provides prominent notice on its COVID-19 services, describes itself as a national provider of preventative and corporate health services. In addition to the Medisys brand, it operates the Copeman and Horizon Occupational Health Solutions health centers.
The Copeman website says it operates two locations in the Vancouver area and one each in Calgary and Edmonton. It was bought by Medisys in 2014, four years before Telus bought Medisys.
Medisys’ security breach appears similar but smaller than the one that occurred last year at Toronto-based LifeLabs, which operates primarily in Ontario and British Columbia.
LifeLabs, which primarily performs blood work, medical imaging as well as laboratory analysis, revealed in November that hackers had gained access to the personal information of nearly 15 million customers.
According to a statement released in June by the privacy commissioners of British Columbia and Ontario, LifeLabs has failed to put in place reasonable safeguards to protect personal health information.
However, they announced in July that LifeLabs had gone to court to prevent them from publicly releasing a full report on the incident.
This report by The Canadian Press was first published on September 30, 2020.
Companies in this story: (TSX: T)
Note to readers: This is a corrected story. An earlier version stated that Telus bought Copeman in 2014.