A proposed class action lawsuit has been filed against medical services company LifeLabs over a data breach that allowed hackers to access the personal information of up to 15 million customers.
In an unproven statement of claim filed in Ontario Superior Court on Dec. 27, lawyers Peter Waldmann and Andrew Stein accuse LifeLabs of negligence, breach of contract and violating their customers’ confidence as well as privacy and consumer protection laws.
The statement of claim was filed on behalf of five named plaintiffs, including lead plaintiff Christopher Sparling, but seeks to represent all Canadians who used LifeLabs’ services, or else those who were told they were affected by the breach, if that information becomes available.
The plaintiffs allege LifeLabs “failed to implement adequate measures and controls to detect and respond swiftly to threats and risks to the Personal Information and health records of the class members,” in violation of the company’s own privacy policy.
In the court document, specific allegations include a failure to implement “any, or adequate, cyber-security measures,” neglecting to hire or train personnel responsible for network security management, storing personal information on unsecured network and servers, and failing to encrypt the data.
LifeLabs has said the data hack affected up to 15 million customers, almost all of them in Ontario and British Columbia. The compromised database included health card numbers, names, email addresses, logins, passwords and dates of birth, but it was unclear how many files were accessed. The lab results of 85,000 customers in Ontario were also obtained by the hackers, the company said.
The class action, which has yet to be certified, asks for more than $1.13 billion in compensation for LifeLabs’ clients, who they say experienced repercussions including damage to their credit reputation, wasted time, and mental anguish.
“The Plaintiffs and the Class Members are therefore obliged to take all reasonable steps necessary to protect their information including hours of wasted time and inconvenience involved in applying for identity theft protection services, changing passwords, notifying financial institutions and applying for new social insurance numbers from Service Canada, as well as the humiliation and mental distress of having lab tests results released without their consent,” the statement of claim read.
The plaintiffs are also seeking additional punitive and moral damages.
LifeLabs chief executive Charles Brown apologized earlier this month for the breach, which led the company to pay a ransom to retrieve the data.
The company also assured the public that its consultants have seen no evidence that data from LifeLabs has been trafficked by criminal groups that are known to buy and sell such data over the internet.
The company did not immediately respond to a request for comment on Sunday.