A class-action lawsuit has been filed against a Canadian laboratory testing company following a cyber-attack in which the data of 15 million of its customers was accessed by criminals.
LifeLabs reported the data breach to government partners on October 28, 2019, but waited until December 17 to notify its customers.
Sensitive information exposed in the incident may have included customers' names, addresses, email addresses, logins, passwords, dates of birth, health card numbers, and lab test results.
The cyber-criminals who accessed the data were paid an undisclosed amount by LifeLabs in return for a promise to not make the information public.
On December 27, lawyers Peter Waldmann and Andrew Stein filed an unproven statement of claim in Ontario Superior Court in which LifeLabs is accused of breach of contract and negligence. The company is further accused of violating consumer protection laws and of violating their customers’ privacy and confidence.
The statement of claim was filed on behalf of five named plaintiffs, including lead plaintiff Christopher Sparling, who allege that LifeLabs violated their own privacy policy when they "failed to implement adequate measures and controls to detect and respond swiftly to threats and risks to the Personal Information and health records of the class members."
It is further alleged that LifeLabs stored customers' personal information on unsecured networks or servers, failed to implement "any, or adequate, cyber-security measures," didn't encrypt data, and neglected to hire or train any personnel responsible for network security management.
According to Canadian Underwriter, Waldmann and Stein are seeking more than $1.13bn in compensation for LifeLabs' Canadian customers to make up for the mental anguish, wasted time, and damage to their credit reputation they have suffered. The plaintiffs are seeking additional punitive and moral damages.
In an open letter, LifeLabs CEO Charles Brown wrote that up to 15 million customers, almost all of them in Ontario and British Columbia, may have been affected by the data breach.
On December 18, a toll-free helpline, set up to field calls from concerned LifeLabs customers, received over 5,000 calls. According to CTV news, a second line had to be set up to deal with the volume of calls.
LifeLabs is owned by one of the biggest pension funds in Canada, the Ontario Municipal Employees Retirement System, which has $92 billion in assets.