The company disclosed a data breach in December 2019 and a class action lawsuit arising out of that breach was certified, meaning approved, by the Ontario Superior Court of Justice.
The online health portal operated by the lab has more than 2.3 million patients accessing their test results each year, and the bulk of the lab’s revenue is publicly funded, court documents indicate.
The plaintiffs alleged the company didn’t have adequate and effective cybersecurity in place. In one case, it was alleged a patient affected by the breach was not notified until some two months after LifeLabs first reported the security breach to the offices of the Ontario, B.C., and other provincial privacy commissioners.
KPMG said the class action lawsuit includes approximately 8.6 million individuals had their personal information stolen, including their provincial health card numbers. Another approximately 131,957 patients of the lab had confidential test requisitions or test results stolen by hackers, who then demanded a ransom.
“LifeLabs paid a ransom and the cyber-attackers returned the data. That data has not been identified as being sold on the dark web or otherwise misused by anyone,” said KPMG.
The company negotiated a settlement with the plaintiffs and the court will hold a hearing on Oct. 25 by video conference to consider approving the proposed settlement.
The company would not be admitting any liability, unlawful conduct, or negligence under the terms of the settlement. Individuals whose data was compromised and who have a valid claim could receive from $50 to $150 if the proposed $4.9 million settlement receives court approval.
Those who will receive a portion of the settlement would receive it by e-transfer or cheque, according to the agreement.
