Biomedical investigating ‘unauthorized access’ of sensitive client data
Published:Monday | February 17, 2025 | 9:26 AMLivern Barrett/Senior Staff Reporter
One of the largest private medical labs in Jamaica has confirmed that unknown actors gained “unauthorized access” to its network and systems through an external vendor last November.
However, the extent of the breach at Biomedical Caledonia Medical Laboratory Limited is still unclear, as the company said that is still being investigated.
Biomedical Caledonia Medical Laboratory, which has been in operation since 1968, provides a range of services, from routine basic blood counts to highly complex tests that assist in diagnosing cancer and other rare diseases, according to its website.
The company has over 50 collection centres across Jamaica.
“We deeply regret this incident,” Biomedical Laboratory said in a public statement release late yesterday evening.
“We remain focused on completing our investigation and communicating with stakeholders who may have been impacted.”
The statement came hours after a Jamaican cybersecurity expert based overseas posted on a social media platform claiming that hackers have published over 70,000 medical files from Biomedical Labs.
According to the post on X, formerly Twitter, the medical files were among approximately 400,000 that were allegedly stolen by hackers last December.
“Data includes cancer screening tests (cytology) and tons of personal data now on the dark web being downloaded by thousands or maybe millions of people,” the message claimed.
The cybersecurity expert claimed also that there was no public indication from the lab chain that they have informed thousands of potential victims that their personal data have been compromised, which is a requirement under Jamaica’s Data Protection Act.
However, the statement from Biomedical Caledonia Medical Laboratory sought to reassure customers that it is “doing everything possible to protect their data and maintain the trust they have placed in us”.
“At the time the breach was discovered, we immediately took the necessary steps to prevent further unauthorized access, hired a certified cybersecurity and forensic investigator and a team of cybersecurity specialists to address the issue,” the statement said.
All relevant government and law enforcement stakeholders were also notified, it said.
The company said it has since selected a new managed service provider, implemented enhanced security measures, upgraded its IT infrastructure, deployed a security information and event management system, as well as installed an intrusion detection system.
“These measures have strengthened our security posture.”