LifeLabs, which does blood work and other tests across Canada, said in a letter to customers that their names, contact information, health card numbers and lab test results were exposed in a cyber attack on its computers in early November.
Most of those affected are in Ontario or British Columbia.
The company also said it paid an undisclosed sum to the hackers to retrieve the data, and has retained cyber security experts to isolate and secure its affected computers, as well as determine the scope of the breach.
“We want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber attack is low,” the company said in a statement.
It added that its security consultants “have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.”
Ontario and British Columbia privacy commissioners Brian Beamish and Michael McEvoy said they are conducting a joint investigation into the breach, calling the scale of the attack “extremely troubling.