It's still not entirely clear (there are conflicting messages on this) what type of attack it was -- whether it was a classic ransomware shakedown without wholesale data extraction from the network, or whether patient information was indeed downloaded.
If the latter is indeed the case, the company letter includes passwords among the data having been stolen. LifeLabs' CEO, in a statement, was unaware of whether or not the data was stored in encrypted form on their system.
In 2019, who stores passwords (or, indeed, any contact information from a sensitive data trove like this) in clear text, unencrypted? That's inexcusable, the height of irresponsibility! And if this does prove to be the case, I'll line up to join a class action suit for absolutely criminal negligence.