Medisys Health Group and its affiliate Copeman Healthcare say they paid an unspecified ransom to recover personal information from about 60,000 customers after detecting a security breach on August 31.
An email from Medisys headquarters in Montreal says privacy officials were notified on September 4, four days after the breach was discovered, and began notifying customers last week.
They say the hackers obtained demographic information, such as ages and addresses, and some personal health numbers, but not financial information or social security numbers.
In some cases, test results, consultation reports, and prescribing information were obtained, but recovered after paying a ransom.
The Medisys and Copeman websites, which they claim to belong to Telus, say their security consultants paid the ransom and confirmed that the hackers did not tamper with the data.
However, cybersecurity experts say there is a black market for personal information that criminal organizations can buy, sell and trade.
Companies offer affected customers five years of free protection against identity theft from a commercial provider, a common response when companies are hacked.
“We apologize for any inconvenience and want to assure our customers that we do not believe there is cause for concern.” says a notice on the website.
Canada’s federal privacy commissioner’s office said in an email that it is in ongoing communication with Telus.
“Given the possible severity of the violation, we are seeking more information to determine next steps,” said Valarie Lawton for the Office of the Privacy Commission.
An email from BC’s privacy commissioner confirmed that it is investigating but could not offer further comment.
His Ontario counterpart said he is working with Medysis “to determine the scope and circumstances of the violation. Until we do, we have no further details to share at this time. “
The Medisys Health Group website, which provides a prominent notice about its COVID-19 services, describes itself as a national provider of corporate and preventive health care services. In addition to the Medisys brand, it operates Copeman Healthcare Centers and Horizon Occupational Health Solutions.
Copeman’s website says it operates two locations in the Vancouver area and one in Calgary and one in Edmonton. It was bought by Medisys in 2014, four years before Telus bought Medisys.
Medisys’s security breach appears similar to but smaller than what occurred last year at Toronto-based LifeLabs, which operates primarily in Ontario and British Columbia.
LifeLabs, which primarily performs blood tests, medical imaging, and lab tests, revealed in November that hackers gained access to the personal information of up to 15 million customers.
A statement issued in June by privacy commissioners in BC and Ontario said that LifeLabs did not implement reasonable safeguards to protect personal health information.
However, they announced in July that LifeLabs had gone to court to prevent them from publishing a full report on the incident.