Class Actions

CarePartners Privacy Class Action —

This privacy breach class action is brought against 8262900 Canada Inc. o/a CarePartners (“CarePartners”), on behalf of current and former CarePartners patients and non-unionized staff whose personal information was compromised in a cyber-attack that was reported on June 18, 2018. The action was certified for the purposes of effecting a settlement on March 2, 2022.

Case Overview

Waddell Phillips Professional Corporation, along with Howie, Sacks & Henry LLP and Schneider Law Firm, brought this class action in relation to a privacy breach that was announced by CarePartners in June 2018.

The claim alleges that cyber attackers were able to exploit CarePartners’ inadequate and outdated security systems to access CarePartners’ computer network and extract data containing the personal information and personal health information of hundreds of thousands of CarePartners patients and staff (the “Breach”). The compromised information includes detailed medical records and financial information, as well as contact information, and information about patients’ daily lives, workplaces, families, and homes.

This class action is brought on behalf of all persons who were patients, non-unionized employees and contractors of CarePartners from January 1, 2010 to June 11, 2018, excluding CarePartners’ officers and directors, and unionized staff. The claim alleges that CarePartners is liable for breach of privacy, breach of contract, negligence, and breaches of various statutes.

This action has been settled, and the court has approved the settlement. Notice of the settlement will be published once the names of the affected individuals have been determined.

There is no cost to participate in this class proceeding. The lawyers are working on a contingency fee arrangement, and will be paid 20% of the proceeds of the settlement, as approved by the court.

The Cyber Breach at CarePartners

CarePartners is one of Ontario’s largest private healthcare services providers. It specializes in providing out-of-hospital care—including personal support care, nursing care, rehabilitation care, caregiver support, and palliative care—to patients at their homes, schools or workplaces. CarePartners provides its services to patients primarily as a partner of Ontario’s Local Health Integration Networks (“LHINs”), although it also runs its own network of clinics. In total, CarePartners had provided services to approximately 237,000 patients at the time of the Breach.

To carry out its work, CarePartners collects a large quantity of sensitive personal information, including personal health information, from its patients and their families, as well as sensitive personal information, including personal financial information, from its over 4,500 staff and contract workers.

On June 11, 2018, hackers informed CarePartners that they had penetrated CarePartners’ computer network, and used their unauthorized access to extract virtually all of the data on their servers dating back to 2010. They provided a sample of the stolen data to accompany their claim (which CarePartners verified as authentic), and demanded an undisclosed amount of money as ransom in exchange for not posting the stolen data online. CarePartners did not pay the ransom, and the hackers began approaching media outlets regarding the Breach, which included providing CBC News reporters with access to a large sample of the stolen data, which CBC News reported on here.

CarePartners did not provide individuals affected by the Breach with direct notice that the Breach had occurred until after the CBC News report. The notice that was provided did not explain how the Breach occurred, the scope of the data that was stolen, or what efforts CarePartners made to recover the data. To date, CarePartners has not provided affected individuals with any details regarding these important issues.


Contact Us

If you are a current or former patient, non-unionized employee, or contractor of CarePartners, you may be eligible for compensation if the action is successful. For more information, or to ensure that you are provided with important notices about the class action as it progresses, please complete our secure online form under the “Ask a Question” Tab (above). Your information will be kept strictly confidential and will be used only to communicate with you, and to assist with the prosecution of the action.

Case Overview

Waddell Phillips Professional Corporation, along with Howie, Sacks & Henry LLP and Schneider Law Firm, brought this class action in relation to a privacy breach that was announced by CarePartners in June 2018.

The claim alleges that cyber attackers were able to exploit CarePartners’ inadequate and outdated security systems to access CarePartners’ computer network and extract data containing the personal information and personal health information of hundreds of thousands of CarePartners patients and staff (the “Breach”). The compromised information includes detailed medical records and financial information, as well as contact information, and information about patients’ daily lives, workplaces, families, and homes.

This class action is brought on behalf of all persons who were patients, non-unionized employees and contractors of CarePartners from January 1, 2010 to June 11, 2018, excluding CarePartners’ officers and directors, and unionized staff. The claim alleges that CarePartners is liable for breach of privacy, breach of contract, negligence, and breaches of various statutes.

This action has been settled, and the court has approved the settlement. Notice of the settlement will be published once the names of the affected individuals have been determined.

There is no cost to participate in this class proceeding. The lawyers are working on a contingency fee arrangement, and will be paid 20% of the proceeds of the settlement, as approved by the court.

The Cyber Breach at CarePartners

CarePartners is one of Ontario’s largest private healthcare services providers. It specializes in providing out-of-hospital care—including personal support care, nursing care, rehabilitation care, caregiver support, and palliative care—to patients at their homes, schools or workplaces. CarePartners provides its services to patients primarily as a partner of Ontario’s Local Health Integration Networks (“LHINs”), although it also runs its own network of clinics. In total, CarePartners had provided services to approximately 237,000 patients at the time of the Breach.

To carry out its work, CarePartners collects a large quantity of sensitive personal information, including personal health information, from its patients and their families, as well as sensitive personal information, including personal financial information, from its over 4,500 staff and contract workers.

On June 11, 2018, hackers informed CarePartners that they had penetrated CarePartners’ computer network, and used their unauthorized access to extract virtually all of the data on their servers dating back to 2010. They provided a sample of the stolen data to accompany their claim (which CarePartners verified as authentic), and demanded an undisclosed amount of money as ransom in exchange for not posting the stolen data online. CarePartners did not pay the ransom, and the hackers began approaching media outlets regarding the Breach, which included providing CBC News reporters with access to a large sample of the stolen data, which CBC News reported on here.

CarePartners did not provide individuals affected by the Breach with direct notice that the Breach had occurred until after the CBC News report. The notice that was provided did not explain how the Breach occurred, the scope of the data that was stolen, or what efforts CarePartners made to recover the data. To date, CarePartners has not provided affected individuals with any details regarding these important issues.


Contact Us

If you are a current or former patient, non-unionized employee, or contractor of CarePartners, you may be eligible for compensation if the action is successful. For more information, or to ensure that you are provided with important notices about the class action as it progresses, please complete our secure online form under the “Ask a Question” Tab (above). Your information will be kept strictly confidential and will be used only to communicate with you, and to assist with the prosecution of the action.

A Settlement Has been Reached

The parties have negotiated a settlement of this class action, and it was approved by the court on March 2, 2022.  A copy of the Settlement Agreement can be viewed under the “Documents” tab on this webpage.

The Terms of the Settlement

Under the terms of the settlement, CarePartners will pay up to $3.44 million to fully and finally settle the action, all inclusive.  In return, CarePartners has received a full and final release from the Class.  The total amount that CarePartners will pay will depend on the total number of individuals whose data was taken from CarePartners’ computer systems, and was produced to the CBC as part of the hackers’ attempt to extort a ransom from CarePartners.  CBC reported that as many as 80,000 individual’s data may have been produced.  If fewer than 45,000 individuals are identified from the data released to CBC, then the total amount of the settlement will be reduced to $2.44 million.

The total amount that will be paid to qualifying Class Members will depend upon the total number of Affected Class Members, and how many Affected Class Members make a claim.  Affected Class Members are those people whose data was released to the CBC  by the hackers.  The payment is estimated to be no less than $25 per person.

None of the data produced to CBC has been released by it, and the data has been kept in a secure, off-line location; but the data was reviewed by CBC reporters.

No money will be paid out until after the claim period is over on January 11, 2023.  You can make a claim now by visiting the Claims Portal here: https://portal.carepartnersprivacybreach.ca/.

Legal Fees will be Paid from the Settlement Fund

The court has approved fees to be paid to Class Counsel from the settlement fund totalling 20% of the settlement fund, plus disbursements and taxes. The costs of administering the settlement will also be paid from the settlement fund. There is no other cost to the class to participate in the class action.

What Happens Next

Once all the Affected Class Members have been identified in the CBC data, then a notice will be sent to the last known address for every individual who is identified to have had their personal information included in the data produced to the CBC (the “Affected Class Members”). Only Affected Class Members will be entitled to claim a portion of the settlement fund. The settlement fund will be divided equally among all Affected Class Members who submit a claim before a deadline that will be set by the court. Details about how to submit a claim and the claim deadline will be included with the notice sent to the Affected Class Members.

If you fall within the class definition, and you do not wish to be included in this class action, then you can “opt out”. To opt out – send an email or letter to the Claims Administrator:

Trilogy Class Action Services c/o CarePartners Class Action Settlement
117 Queen Street, PO Box 1000,
Niagara-on-the-Lake ON L0S 1J0
Email: claims@trilogyclassactions.ca


To submit an electronic claim, please visit the Claims Administrator’s website at the link below and follow the steps:

https://portal.carepartnersprivacybreach.ca/


Additional updates will be posted as the class action progresses.

 

We review every inquiry we receive and will respond promptly to case specific inquiries.

Contact us below and we’ll respond shortly.

Contact Us