Case Overview
LifeLabs is one of the largest medical testing companies in Canada, providing diagnostic medical testing services, including specimen collection, laboratory testing, and reporting of results to patients and health practitioners across the country. As such, LifeLabs is the custodian of a trove of highly sensitive health information about millions of Canadians.
Around October 31, 2019, LifeLabs discovered that cyberattackers had penetrated its computer network, and had access to its system for nearly a year. During this time, the hackers extracted the personal health information and other private information of LifeLabs’ patients. An estimated 7 million Ontarians and 1.25 million B.C. residents may have been affected. After gaining access to LifeLabs’ computer network, the hackers demanded, and LifeLabs paid, an undisclosed amount of money as a ransom in an attempt to secure the data.
After securing the breach, on December 17, 2019, LifeLabs made a public announcement regarding the cyberattack and the resulting privacy breach. The Privacy Commissioners in Ontario and B.C. conducted a detailed joint investigation of the breach, in which they were highly critical of the cyber-security LifeLabs had in place at the time of the breach. LifeLabs has opposed the release of these Privacy Commissioners’ full reports.
Waddell Phillips joined forces with other law firms in Ontario and BC to pursue a proposed class action against LifeLabs and associated companies in respect of the privacy breaches that LifeLabs’ customers suffered. The claim alleged that LifeLabs had inadequate cybersecurity, which allowed hackers to penetrate LifeLabs’ computer network, and extract the personal health information.
The Class Proceeding
This class action alleged that the defendants were liable for breach of privacy, breach of contract and negligence, as well as other wrongs. When the claim was commenced, it included a claim for “intrusion upon seclusion”, which allows for a claim for damages without proof of loss. Since then, the courts (up to the Supreme Court of Canada) have determined that a claim for intrusion upon seclusion cannot be brought against the corporate victim of a third party cyber-attack. Rather, to succeed in the action, the victims would each have to prove that they suffered personal losses that they can prove were caused by the theft of their personal information.
Case Overview
LifeLabs is one of the largest medical testing companies in Canada, providing diagnostic medical testing services, including specimen collection, laboratory testing, and reporting of results to patients and health practitioners across the country. As such, LifeLabs is the custodian of a trove of highly sensitive health information about millions of Canadians.
Around October 31, 2019, LifeLabs discovered that cyberattackers had penetrated its computer network, and had access to its system for nearly a year. During this time, the hackers extracted the personal health information and other private information of LifeLabs’ patients. An estimated 7 million Ontarians and 1.25 million B.C. residents may have been affected. After gaining access to LifeLabs’ computer network, the hackers demanded, and LifeLabs paid, an undisclosed amount of money as a ransom in an attempt to secure the data.
After securing the breach, on December 17, 2019, LifeLabs made a public announcement regarding the cyberattack and the resulting privacy breach. The Privacy Commissioners in Ontario and B.C. conducted a detailed joint investigation of the breach, in which they were highly critical of the cyber-security LifeLabs had in place at the time of the breach. LifeLabs has opposed the release of these Privacy Commissioners’ full reports.
Waddell Phillips joined forces with other law firms in Ontario and BC to pursue a proposed class action against LifeLabs and associated companies in respect of the privacy breaches that LifeLabs’ customers suffered. The claim alleged that LifeLabs had inadequate cybersecurity, which allowed hackers to penetrate LifeLabs’ computer network, and extract the personal health information.
The Class Proceeding
This class action alleged that the defendants were liable for breach of privacy, breach of contract and negligence, as well as other wrongs. When the claim was commenced, it included a claim for “intrusion upon seclusion”, which allows for a claim for damages without proof of loss. Since then, the courts (up to the Supreme Court of Canada) have determined that a claim for intrusion upon seclusion cannot be brought against the corporate victim of a third party cyber-attack. Rather, to succeed in the action, the victims would each have to prove that they suffered personal losses that they can prove were caused by the theft of their personal information.
A settlement of this class action was approved by the Court on October 25, 2023. The Settlement Agreement and Approved Order can be viewed under the “Documents” tab.
Under the terms of the Settlement, LifeLabs paid $9.8 million (less legal fees) to Class Members who made valid claims for compensation.
The amount of compensation that each individual Class Member received was dependent upon the number of valid claims that were made.
Given the large number of valid claims received (901,544), which substantially surpassed all estimates, all Class Members who made valid claims received an e-Transfer of $7.86 or a cheque of $5.86 (which includes the deduction of a $2.00 cheque processing fee).
The claim period has ended and all payments have been made to eligible Class Members.
The time has now passed to opt out of this class action.
We review every inquiry we receive and will respond promptly to case specific inquiries.
Contact us below and we’ll respond shortly.