Class Action News

The motions for leave to appeal the order of Belobaba J. dated May 6, 2020 are dismissed. Read the decision here.


VICTORIA — A joint investigation by the privacy commissioners of B.C. and Ontario says LifeLabs failed to put in place reasonable safeguards to protect the personal health information of millions of Canadians.

A statement released Thursday by the commissioners says the breach last year at LifeLabs, one of Canada’s largest medical services companies, broke B.C.’s personal information protection law and Ontario’s health privacy law.

The joint investigation found LifeLabs collected more personal health information than was necessary, failed to protect that data in its electronic systems and relied on inadequate information technology security policies.

Both offices have ordered LifeLabs to address the shortcomings through measures that include improving its security systems and creating written policies and practices regarding information technology security.

LifeLabs revealed last November that hackers gained access to the personal information of up to 15 million customers, almost all in Ontario and B.C., and that the company was forced to pay a ransom to retrieve and secure the data.

The breach was determined to have affected millions of Canadians and the privacy commissioners announced their joint probe in mid-December.

Michael McEvoy, information and privacy commissioner of B.C. said the failure by LifeLabs to properly protect the personal health information is unacceptable.

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss and reputational harm. The orders made are aimed at making sure this doesn’t happen again.”

Ontario commissioner Brian Beamish says the breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.

“I look forward to providing the public, and particularly those who were affected by the breach, with the full details of our investigation,” Beamish says in the statement.

LifeLabs issued a statement saying it has taken steps to accelerate its strategy to strengthen its information security systems, including appointing a chief information security officer to lead the improvements.

The firm said it has accelerated its information security management program with an initial $50-million investment and has hired a third-party service to evaluate its response.

“What we have learned from last year’s cyberattack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do,” LifeLabs says in its statement.

A proposed class-action lawsuit was filed against the company last year over the data breach. The statement of claim filed in Ontario accused the firm of negligence, breach of contract and violating their customers’ confidence as well as privacy and consumer protection laws.


The privacy commissioners in Ontario and British Columbia have concluded LifeLabs, Canada’s largest laboratory-testing company, violated the privacy of millions of Canadians after lapses that created the conditions for the breach.

The findings, released on Thursday, said the company’s failure to implement reasonable safeguards to protect the personal health information resulted in a major cyber attack late last year, a violation of privacy laws in both provinces.

The report notes the company failed to take reasonable steps to protect the personal health information in its electronic systems, failed to have adequate information-technology security policies in place, and collected more personal health information than was reasonably necessary.

The cyber attack last October affected up to 15 million customers, almost all of them in Ontario and B.C. The personal information stolen from the lab-test provider could include a customer’s name, address, e-mail, login, passwords, date of birth and health-card number.

In a statement issued Thursday, the company said it has taken a number of steps to enhance and strengthen its information security systems, including appointing a chief information security officer to lead the improvements, and implementing strengthened cybercrime-detection technology across the organization.

“From the beginning, LifeLabs has committed to being open and transparent and we will continue to follow these principles as we work together on a path forward,” the statement reads.

“We made a commitment to our customers that we would learn and work hard to earn back their trust.”

The full report of the investigation has yet to be made public: Ontario Information and Privacy Commissioner Brian Beamish said both Ontario and B.C. are “eager” to release the report publicly, but he said LifeLabs is claiming that key elements are confidential or covered by solicitor-client privilege.

“We strongly disagree. We have provided LifeLabs with detailed reasons why we reject their claim. Based on LifeLabs’s position throughout this investigation, we fully expect them to bring us to court to prevent us from publishing the report,” Mr. Beamish said in a statement.

Michael McEvoy, the Information and Privacy Commissioner for B.C., said the company should adhere to its promise to the public as being “open and transparent.”

“We hope that they will, in fact, do so, and raise no objection to this report being made public within the next few days,” he said in an interview.

B.C. Health Minister Adrian Dix called on LifeLabs, a major contractor to his ministry, to abandon its objections to releasing the report.

“I want to see the report,” he told reporters.

“We know that this is a serious issue that every health system is facing right now – health systems all over the world are under, I’d say, constant attack.”

The B.C. Ministry of Health overhauled its contract with LifeLabs after the breach occurred. The new contract includes provisions that strengthen the privacy considerations, Mr. Dix said, and will incorporate the recommendations with the information and privacy commissioners of Ontario and B.C.

“So I think people can be confident that significant changes have been made when they go to LifeLabs,” he said.

He added that he is not aware of any indication that the leaked information was misused, but he said the breach undermined public confidence.

Currently, B.C.‘s privacy commissioner does not have the power to issue financial penalties on companies that violate people’s privacy rights, but Mr. McEvoy said in the joint statement that the investigation also reinforces the need for changes to B.C.‘s laws that allow regulators to have such ability.

Mr. Dix said he is supportive of a proposal to give the province’s privacy watchdog the power, but said that decision will be part of a larger review of the Privacy Act which is still taking place.

Recent amendments to Ontario’s health privacy legislation passed in March give that province’s privacy commissioner the power to levy monetary penalties – at his discretion – for privacy breaches. However, the regulations have yet to be developed.

“If they were in effect, this is definitely a case where I would consider such a penalty,” Mr. Beamish said.

Health Minister Christine Elliott’s office said the province is engaged with stakeholders on the regulations but there is no date on when they will be introduced.

“We thank the Information and Privacy Commissioner for their work and have every expectation that LifeLabs will implement the recommendations,” spokeswoman Hayley Chazan said.

In December, a proposed class-action lawsuit was filed against LifeLabs over the breach. In an unproven statement of claim filed in Ontario Superior Court, lawyers Peter Waldmann and Andrew Stein accuse LifeLabs of negligence, breach of contract and violating their customers’ confidence, as well as privacy and consumer protection laws.

Mr. Waldmann said the findings of the joint investigation “certainly makes the case a lot stronger.”

“The investigation presumably will help us find out what happened, which is the only reason I would think they would not want to disclose it, because it’s embarrassing,” he said.

He said 13 law firms across the country have brought class actions forward and a court will decide which case will go ahead.