Class Actions

CarePartners Privacy Class Action —

This proposed privacy breach class action is brought against 8262900 Canada Inc. o/a CarePartners (“CarePartners”), on behalf of current and former CarePartners patients and non-unionized staff whose personal information was compromised in a cyber attack that was reported on June 18, 2018.

Case Overview

Waddell Phillips Professional Corporation, along with Howie, Sacks & Henry LLP and Schneider Law Firm, have launched a proposed class action in relation to a privacy breach that was announced by CarePartners in June 2018.

The claim alleges that cyber attackers were able to exploit CarePartners’ inadequate and outdated security systems to access CarePartners’ computer network and extract data containing the personal information and personal health information of hundreds of thousands of CarePartners patients and staff (the “Breach”). The compromised information includes detailed medical records and financial information, as well as contact information, and information about patients’ daily lives, workplaces, families, and homes.

This proposed class action is brought on behalf of all persons, excluding CarePartners’ senior executives, officers and directors, and unionized staff, whose Personal Information and/or Personal Health Information was accessed in the Breach. The claim alleges that CarePartners is liable for breach of privacy, breach of contract, negligence, and various breaches of various statutes.

There is no cost to participate in this class proceeding. The lawyers are working on a contingency fee arrangement, and will only be paid from the proceeds of the litigation, if successful.

The Cyber Breach at CarePartners

CarePartners is one of Ontario’s largest private healthcare services providers. It specializes in providing out-of-hospital care—including personal support care, nursing care, rehabilitation care, caregiver support, and palliative care—to patients at their homes, schools or workplaces. CarePartners provides its services to patients primarily as a partner of Ontario’s Local Health Integration Networks (“LHINs”), although it also runs its own network of clinics. In total, CarePartners had provided services to approximately 237,000 patients at the time of the Breach.

To carry out its work, CarePartners collects a large quantity of sensitive personal information, including personal health information, from its patients and their families, as well as sensitive personal information, including personal financial information, from its over 4,500 staff and contract workers.

On June 11, 2018, hackers informed CarePartners that they had penetrated CarePartners’ computer network, and used their unauthorized access to extract virtually all of the data on their servers dating back to 2010. They provided a sample of the stolen data to accompany their claim (which CarePartners verified as authentic), and demanded an undisclosed amount of money as ransom in exchange for not posting the stolen data online. CarePartners did not pay the ransom, and the hackers began approaching media outlets regarding the Breach, which included providing CBC News reporters with access to a large sample of the stolen data, which CBC News reported on here.

CarePartners did not provide individuals affected by the Breach with direct notice that the Breach had occurred until after the CBC News report. The notice that was provided did not explain how the Breach occurred, the scope of the data that was stolen, or what efforts CarePartners made to recover the data. To date, CarePartners has not provided affected individuals with any details regarding these important issues.


Contact Us

If you are a current or former patient, non-unionized employee, or contractor of CarePartners, you may be eligible for compensation if the action is successful. For more information, or to ensure that you are provided with important notices about the class action as it progresses, please complete our secure online form under the “Ask a Question” Tab (above). Your information will be kept strictly confidential and will be used only to communicate with you, and to assist with the prosecution of the action.

Case Overview

Waddell Phillips Professional Corporation, along with Howie, Sacks & Henry LLP and Schneider Law Firm, have launched a proposed class action in relation to a privacy breach that was announced by CarePartners in June 2018.

The claim alleges that cyber attackers were able to exploit CarePartners’ inadequate and outdated security systems to access CarePartners’ computer network and extract data containing the personal information and personal health information of hundreds of thousands of CarePartners patients and staff (the “Breach”). The compromised information includes detailed medical records and financial information, as well as contact information, and information about patients’ daily lives, workplaces, families, and homes.

This proposed class action is brought on behalf of all persons, excluding CarePartners’ senior executives, officers and directors, and unionized staff, whose Personal Information and/or Personal Health Information was accessed in the Breach. The claim alleges that CarePartners is liable for breach of privacy, breach of contract, negligence, and various breaches of various statutes.

There is no cost to participate in this class proceeding. The lawyers are working on a contingency fee arrangement, and will only be paid from the proceeds of the litigation, if successful.

The Cyber Breach at CarePartners

CarePartners is one of Ontario’s largest private healthcare services providers. It specializes in providing out-of-hospital care—including personal support care, nursing care, rehabilitation care, caregiver support, and palliative care—to patients at their homes, schools or workplaces. CarePartners provides its services to patients primarily as a partner of Ontario’s Local Health Integration Networks (“LHINs”), although it also runs its own network of clinics. In total, CarePartners had provided services to approximately 237,000 patients at the time of the Breach.

To carry out its work, CarePartners collects a large quantity of sensitive personal information, including personal health information, from its patients and their families, as well as sensitive personal information, including personal financial information, from its over 4,500 staff and contract workers.

On June 11, 2018, hackers informed CarePartners that they had penetrated CarePartners’ computer network, and used their unauthorized access to extract virtually all of the data on their servers dating back to 2010. They provided a sample of the stolen data to accompany their claim (which CarePartners verified as authentic), and demanded an undisclosed amount of money as ransom in exchange for not posting the stolen data online. CarePartners did not pay the ransom, and the hackers began approaching media outlets regarding the Breach, which included providing CBC News reporters with access to a large sample of the stolen data, which CBC News reported on here.

CarePartners did not provide individuals affected by the Breach with direct notice that the Breach had occurred until after the CBC News report. The notice that was provided did not explain how the Breach occurred, the scope of the data that was stolen, or what efforts CarePartners made to recover the data. To date, CarePartners has not provided affected individuals with any details regarding these important issues.


Contact Us

If you are a current or former patient, non-unionized employee, or contractor of CarePartners, you may be eligible for compensation if the action is successful. For more information, or to ensure that you are provided with important notices about the class action as it progresses, please complete our secure online form under the “Ask a Question” Tab (above). Your information will be kept strictly confidential and will be used only to communicate with you, and to assist with the prosecution of the action.

A Settlement Has been Reached

The parties have negotiated a settlement of this proposed class action.  A copy of the Settlement Agreement can be viewed under the “Documents” tab on this webpage.

The Settlement Approval Hearing

The settlement will not be enforceable until it has been approved by the Superior Court of Justice.  The hearing for certification of this action as a class proceeding for the purposes of the settlement and for approval of the Settlement Agreement is scheduled to be held by video conference on Wednesday,  February 9, 2022 at 10:00 a.m. ET.

The Terms of the Settlement

Under the terms of the settlement, CarePartners will pay up to $3.44 million to fully and finally settle the action, all inclusive.  In return the Class will provide CarePartners with a full and final release.  The total amount that CarePartners will pay will depend on the total number of individuals whose data was taken from CarePartners’ computer systems, and was produced to the CBC as part of the hackers’ attempt to extort a ransom from CarePartners.  CBC reported that as many as 80,000 individual’s data may have been produced.  If fewer than 45,000 individuals are identified from the data released to CBC, then the total amount of the settlement will be reduced to $2.44 million.

The total amount that will be paid to qualifying Class Members will depend upon the total number of affected Class Members, and how many affected Class Members make a claim.  The payment is estimated to be no less than $25 per person.

None of the data produced to CBC has been released by it, and the data has been kept in a secure, off-line location; but the data was reviewed by CBC reporters.

No money is being paid out yet.  The action must first be certified and the settlement approved.

What Happens Next

If the settlement is approved by the court, then a notice will be sent to the last known address for every individual who is identified to have had their personal information included in the data produced to the CBC (the “qualified class members”).  Only qualified class members will be entitled to receive a portion of the settlement fund. The settlement fund will be divided equally among all qualified class members who submit a claim before a deadline that will be set by the court.  Details about how to submit a claim and the claim deadline will be included with the notice sent to the qualified class members.

If you do not wish to be included in this class action, then you will have the opportunity to “opt out” after it is certified as a class action.  The details about how to opt out will be posted on this website if the action is certified and the settlement is approved.

If you object to this proposed settlement, then you may make submissions to the court explaining why you object.  You can do this by sending a written objection to our firm, either using the “Contact Us” button, or by email, mail or fax.  Alternatively, you can attend at the virtual hearing and make your objections to the court in person.  If you wish to make submissions to the court in person, please let us know by sending a message using the “Contact Us” button, or by email, mail or fax, and we will send you the videoconference link.

If you want more information about the Settlement, we would be pleased to speak with you or send you an email. Please send us your inquiry using the “Contact Us” button, or by email, mail or fax, or call 647.261.4486.


Additional updates will be posted as the class action progresses.

 

We review every inquiry we receive and will respond promptly to case specific inquiries.

Contact us below and we’ll respond shortly.

Contact Us