LifeLabs is one of the largest medical testing companies in Canada, providing diagnostic medical testing services, including specimen collection, laboratory testing, and reporting of results to patients and health practitioners across the country. As such, LifeLabs is the custodian of a trove of highly sensitive health information about millions of Canadians. Each year, LifeLabs performs over 112 million laboratory tests on Canadians.
Around October 31, 2019, LifeLabs discovered that cyberattacks had penetrated its computer network, and had access to its system for nearly a year. During this time, the hackers extracted the personal health information and other private information of LifeLabs’ patients. An estimated 7 million Ontarians and 1.25 million B.C. residents may have been affected. After gaining access to LifeLabs’ computer network, the hackers demanded, and LifeLabs paid, an undisclosed amount of money as a ransom in an attempt to secure the data.
After securing the breach, on December 17, 2019, LifeLabs made a public announcement regarding the cyberattack and the resulting privacy breach. The Privacy Commissioners in Ontario and B.C. conducted a detailed joint investigation of the breach, in which they were highly critical of the cyber-security LifeLabs had in place at the time of the breach. LifeLabs has opposed the release of these Privacy Commissioners’ full reports.
CFM Lawyers has joined forces with other law firms in Ontario to pursue a proposed class action against LifeLabs and associated companies in respect of the privacy breaches that LifeLabs’ customers suffered. The claim alleges that LifeLabs had inadequate cybersecurity, which allowed hackers to penetrate LifeLabs’ computer network, and extract the personal health information and other private information of an estimated 8.6 million Canadians. The compromised information includes medical lab test results, health card numbers, dates of birth, and other sensitive information. The vast majority of affected individuals are in Ontario and B.C., but individuals in other provinces and territories have been affected as well.
This class action alleges that the defendants are liable for breach of privacy, breach of contract and negligence, as well as other wrongs. When the claim was commenced, it included a claim for “intrusion upon seclusion”, which allows for a claim for damages without proof of loss. Since then, the courts (up to the Supreme Court of Canada) have determined that a claim for intrusion upon seclusion cannot be brought against the corporate victim of a third party cyber-attack. Rather, to succeed in the action, the victims would each have to prove that they suffered personal losses that they can prove were caused by the theft of their personal information.
Several competing proposed class actions were commenced, but the plaintiffs agreed to proceed with one lead national action, to be prosecuted in Ontario. A companion action has been brought in BC, but is being held in abeyance while the Ontario action is being litigated.
This action has been certified on consent for the purposes of facilitating a settlement negotiated between the parties. The Court will decide whether to approve the settlement at a hearing on October 25, 2023. The settlement will not be effective unless the Court approves it. The Settlement Agreement can be found under “Important Documents” below.
Under the terms of the Settlement, LifeLabs will pay a guaranteed amount of $4.9M, and up to a further $4.9M, depending upon the number of Class members who make valid claims for compensation.
The amount of compensation that each individual Class member may receive will be dependent upon the number of valid claims made.
Class Counsel’s legal fees and disbursements as approved by the Court will be deducted from the settlement fund before the balance is disbursed to Class member claimants. Class Counsel will be asking the Court to approve payment of its fees equal to 25% of the settlement fund, plus disbursements and taxes.