TORONTO — The Medisys Health Group and its affiliate Copeman Healthcare say they paid an unspecified ransom to retrieve personal information for about 60,000 clients after detecting a security breach on Aug. 31.
An email from Medisys head office in Montreal says privacy officials were notified Sept. 4, four days after the breach was discovered, and began notifying customers last week.
They say hackers got demographic information, such as ages and addresses, and some personal health numbers but no financial information or Social Insurance Numbers..
In some cases, test results, consultation reports and prescription information was obtained but recovered after a ransom was paid.
Medisys and Copeman's websites — which note they belong to Telus — say their security consultants paid the ransom and confirmed the hackers didn't tamper with the data.
However, cybersecurity experts say there's a black market for personal information that can be bought, sold and traded by criminal organizations.
The companies are offering affected clients five years of free identity theft protection from a commercial provider — a common response when businesses are hacked..
"We apologize for any inconvenience and we want to assure our clients that we do not believe there is cause for concern." a website notice says.
The office of Canada's federal privacy commissioner said in an email that it's in ongoing communication with Telus.
"Given the potential seriousness of the breach, we are seeking more information in order to determine next steps," Valarie Lawton said for the Office of the Privacy Commission.
An email from B.C.'s privacy commissioner confirmed that it's investigating but was unable to offer further comment.
Their Ontario counterpart said it is working with Medysis "to determine the scope and the circumstances of the breach. Until we do so, we have no further details to share at this time."
The Medisys Health Group's website, which provides a prominent notice about its COVID-19 services, describes itself as a national provider of preventive and corporate health-care services. Besides the Medisys brand, it operates Copeman Healthcare Centres and Horizon Occupational Health Solutions.
The Copeman website says it operates two locations in the Vancouver area and one each in Calgary and Edmonton. It was bought by Medisys in 2014, four years before Telus bought Medisys.
The Medisys security breach appears similar but smaller than one that occurred last year at Toronto-based LifeLabs, which operates mostly in Ontario and British Columbia.
LifeLabs, which primarily does blood tests, medical imaging as well as laboratory analysis, revealed in November that hackers gained access to the personal information of up to 15 million customers.
A statement issued in June by the privacy commissioners in B.C. and Ontario, said LifeLabs failed to put in place reasonable safeguards to protect the personal health information.
However, they announced in July that LifeLabs had gone to court to stop them from publicly releasing a full report about the incident.
This report by The Canadian Press was first published Sept. 30, 2020.
Companies in this story: (TSX:T)
David Paddon, The Canadian Press
Note to readers: This is a corrected story. An earlier version said Telus bought Copeman in 2014.