A class action lawsuit was filed against Canadian private company LifeLabs. This in response to a 15 million Canadian data breach.
While Christmas may have been jolly for some, for Lifelabs and their customers, it might be a Christmas they’d rather forget. Earlier this month, the medical diagnostics company was hit was a data breach. In all, 15 million Canadians as well as an estimated 85,000 lab result patients had their information exposed. From The Vancouver Sun:
Six weeks after discovering the breach, security experts hired by the company are still trying to figure out how much data was involved. The servers that were accessed contained information on 15 million Canadians, including almost four million in B.C., according to CEO Charles Brown.
“This is still under police investigation,” Brown told Postmedia. “I just can’t talk about actual details of who did what, (or) how we got contacted (about the ransom demand).”
The information that cyber criminals might have had access to includes names, addresses, emails, patient login passwords, and health-card numbers.
Additionally, the company knows that lab results for 85,000 Ontario residents were also potentially compromised, Brown said.
B.C. Health Minister Adrian Dix said LifeLabs contacted the government on Oct. 28, and informed the office of B.C. Information and Privacy Commissioner Michael McEvoy on Nov. 1.
LifeLabs has been providing daily updates on its progress in dealing with the breach, Dix said, and the information and privacy commissioners in both B.C. and Ontario have launched their own investigations into the incident.
In situations like this, a lot of damage can be done on this moderately large breach. For instance, the company can suffer from a reputation standpoint where some begin questioning the safety of their information in a company that has already been hacked. If a company has a public offering, stock values tend to drop. Additionally, there are often investigations with police, intelligence organizations, and sometimes, a public investigations where politicians are involved.
Another aspect of the breach that tends to happen is that victims of the breach sue the company for failing to protect their information. More recently, that is exactly what is happening. From The Waterloo Chronicle:
A Toronto lawyer has launched a class-action lawsuit against LifeLabs, the medical testing company that recently admitted to a data breach that could affect more than 15 million Canadians.
Filed on behalf of five plaintiffs, including Toronto lawyer Christopher Sparling, the suit is seeking over $1.13 billion in potential damages due to alleged negligence in safeguarding customer data, as well as an additional $10 million in punitive damages.
“The point here is that there are 15 million people supposedly in Canada who are victims of this breach. Nobody’s ever seen something like this before in this country,” said Peter Waldman, the attorney who filed the suit. “Who knows what it’s worth to each person? Some people may have more serious consequences than others, depending on what their personal circumstances are. We don’t know yet. It’s the opening chapter of this story.”
The new suit is one of at least three that have been filed and it remains to be determined which, if any, a court will choose to hear.
Some might be wondering where the privacy commissioners are in all of this. Indeed, there are both federal and provincial privacy commissioners who could be looking into this. As it turns out, they are saying that they are investigating the incident. From a press release:
The Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) are undertaking a coordinated investigation into a cyberattack on the computer systems of Canadian laboratory testing company LifeLabs.
LifeLabs is Canada’s largest provider of general diagnostic and specialty laboratory testing services. The company has four core divisions – LifeLabs, LifeLabs Genetics, Rocky Mountain Analytical, and Excelleris.
On November 1, 2019, LifeLabs reported a potential cyberattack on their computer systems to the IPC and the OIPC. Shortly thereafter, they confirmed they were the subject of an attack affecting the personal information of millions of customers, primarily in Ontario and British Columbia. They told us that the affected systems contain information of approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers, and lab tests. LifeLabs advised our offices that cyber criminals penetrated the company’s systems, extracting data and demanding a ransom. LifeLabs retained outside cybersecurity consultants to investigate and assist with restoring the security of the data.
The coordinated IPC/OIPC investigation will, among other things, examine the scope of the breach, the circumstances leading to it, and what, if any, measures Lifelabs could have taken to prevent and contain the breach. We will also investigate ways LifeLabs can help ensure the future security of personal information and avoid further attacks.
“An attack of this scale is extremely troubling. I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant,” says Brian Beamish, Information and Privacy Commissioner of Ontario. “Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and healthcare organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.”
“I am deeply concerned about this matter. The breach of sensitive personal health information can be devastating to those who are affected,” says Michael McEvoy, Information, and Privacy Commissioner for BC. “Our independent offices are committed to thoroughly investigating this breach. We will publicly report our findings and recommendations once our work is complete.”
Some might look at the involvement of the Privacy Commissioners in both affected provinces and think that the matter will be taken care of. There might actually be less comfort than you might think on what the privacy commissioners can do. All one has to look at is one of the many cases against Facebook.
When the Privacy Commissioners investigated an app that harvested data without Canadian consent, the commissioners demanded change in a report into how data is collected on the platform. In response, at least, in the eyes of the commissioners at the time, Facebook either made little progress to meet those requirements for change or simply shrugged the whole thing off. It was at that point that people realized how few tools the commissioners really had after they simply filed a lawsuit against Facebook in a bid to hold them accountable. It was that incident that Canadian observers raised serious questions over whether or not the privacy commissioners have sufficient powers. Additionally, some even went so far as to ask if its time that they are given the power to levy fines against companies.
As of now, the commissioners can only largely say, “stop, or I’ll say stop again!” They can issue reports and offer analysis on different situations as they arise. As for actual teeth for law enforcement, Facebook showed Canada that they really don’t have much power on that front.
Because of this, Canada began looking less like a privacy haven and more like a wild west in the privacy world. That image that Canada has robust privacy laws thanks to having dedicated privacy commissioners began to erode. The issue partially got raised during the last French language debate during the election. Unfortunately, the issue largely slid out of public view shortly after.
Unless Canadian politicians are proposing major reforms to Canadian privacy laws that strengthen the office (to our knowledge, that isn’t really happening), then history will likely repeat itself. The commissioners will look into the situation, then comment about it after, realizing they have few other tools in the tool chest to do anything about it. At least the class action lawsuit might actually have a chance at making a real impact in this case. Otherwise, Canadians will have to live with the fact that some of their personal information floating around in the dark corners of the Internet – and there really isn’t much they can do about it.
Drew Wilson on Twitter: @icecube85 and Facebook.