Class Action News

TORONTO -- After a massive data breach that jeopardized the personal information of more than 15 million Canadians, LifeLabs extended an olive branch to its customers: 12 months of identity theft insurance through TransUnion.

But many of those left compromised by the cyberattack say they are hesitant to hand over more personal data to TransUnion, a credit reporting agency with its own history of data breaches.

“They’re moving our data from one unsecure site to another unsecure site,” LifeLabs customer Bonnie Brugger told by phone from her home in rural B.C. last week.

“What is being promised by [LifeLabs] is not what we think it is. We’re putting our identities at further risk.”

Shortly after news of the data breach broke, Brugger called a dedicated phone line set up by LifeLabs to activate her coverage through TransUnion. After discovering she needed access to a computer in order to complete the process, she called TransUnion directly and claims she was connected to an India-based call centre.

Already skeptical that her data would be stored outside of Canada, Brugger says she was then asked for her Social Insurance Number (SIN) to confirm her identity.

“You have all of this personal and medical information, and then you connect it with a Social Insurance Number,” Brugger said.

“They don’t need anything else to steal your identity. That is beyond gold for a cybercriminal... And if all this is going to a server in India, every alarm bell is going off in my head.”

In an emailed statement to Thursday, a TransUnion spokesperson confirmed that its customer support agents may request a social insurance number “when locating a customer’s file or verifying their identity.”

However, the company notes that customers are not required to provide TransUnion with that information.

The company also confirmed that Canadian consumer data is only stored on servers inside of Canada.

“Information security is a company-wide priority at all levels of our organization,” reads the statement.

“TransUnion takes a multilayered, risk-based approach to security, which is based on a number of overlapping and redundant controls designed to prevent, detect and respond to cyber threats.”

In October, TransUnion confirmed that the personal information of 37,000 Canadians was compromised after one of its business customer’s login credentials was fraudulently used to access data.

"The unauthorized access was not the result of a breach or failure of TransUnion's systems or our customer's system," a company spokesperson said at the time.

But Brugger isn’t the only LifeLabs customer to feel wary about TransUnion’s history -- several people have taken to Twitter to voice their concerns.

Ed Toombs @edtoombs
To get the #Lifelabs protection compensation you have to become a client of Transunion, a credit agency, and give THEM your personal info. And Transunion was recently breached also. So I am passing on this generous offer big-time. Incredible.

In an emailed statement to, LifeLabs said the company has discussed previous security concerns with TransUnion and has “faith” in the company to provide safe and secure services to its customers.

“TransUnion has told us that this was an isolated incident involving one of TransUnion’s business customers and that their systems were not breached and there was no failure of their systems or security controls,” a LifeLabs spokesperson said via email.

“As such, LifeLabs has faith in TransUnion’s ability to provide safe and secure credit monitoring and fraud insurance protection to LifeLabs customers who may have been impacted by the breach.”

LifeLabs noted that the estimated number of customers impacted by its own security breach has not changed since the initial announcement in December.

Should consumers trust a company with a data breach history? No, experts say

Privacy experts say customers have every right to be wary, especially considering the sensitive medical information already involved in the LifeLabs breach.

“I wouldn’t use the word ‘trust’ at all,” former Ont. privacy commissioner Ann Cavoukian told by phone. “Unfortunately they have no recourse other than to use Transunion.”

Cavoukian, who described the LifeLabs data breach as “devastating,” says she is most concerned that the company is only offering one year of personal data protection.

“The bad guys, the hackers, sit on the data for a year and then they strike,” she explained.

Mahesh Tripunitara, cybersecurity expert at the University of Waterloo, says that a reoccurring theme in both data breaches is the improper archiving of customer information.

“I love using Google products... [but] the only way I can use Google maps, for example, is to give them my information for them to archive and use as much as they want,” Tripunitara told by phone.

“It’s the same with LifeLabs—how many of us knew they were archiving this information? It’s probably hidden in some gobbledygook and no one reads that anyway.”

Both Cavoukian and Tripunitara agree that companies collecting consumer data need to be more transparent about what kind of information they’re storing, how long they are storing it for, and what security measures are in place to protect it.

Cavoukian says that starts with consumers demanding to have their data protected.

“Consumers should be asking companies to protect them,” she said. “In posing the question it raises a flag about security and gets them to do more.”

Both experts say that the best thing affected LifeLabs customers can do is keep a close eye on their personal and financial data and flag any potential identity theft as soon as it’s spotted.


A proposed class-action lawsuit has been filed against medical services company LifeLabs over a data breach that allowed hackers to access the personal information of up to 15 million customers.

In an unproven statement of claim filed in Ontario Superior Court on Dec. 27, lawyers Peter Waldmann and Andrew Stein accuse LifeLabs of negligence, breach of contract and violating their customers’ confidence as well as privacy and consumer protection laws.

The statement of claim was filed on behalf of five named plaintiffs, including lead plaintiff Christopher Sparling, but seeks to represent all Canadians who used LifeLabs’ services, or else those who were told they were affected by the breach, if that information becomes available.

The plaintiffs allege LifeLabs “failed to implement adequate measures and controls to detect and respond swiftly to threats and risks to the Personal Information and health records of the class members,” in violation of the company’s own privacy policy.

In the court document, specific allegations include a failure to implement “any, or adequate, cyber-security measures,” neglecting to hire or train personnel responsible for network security management, storing personal information on unsecured network and servers, and failing to encrypt the data.

LifeLabs has said the data hack affected up to 15 million customers, almost all of them in Ontario and British Columbia. The compromised database included health card numbers, names, email addresses, logins, passwords and dates of birth, but it was unclear how many files were accessed. The lab results of 85,000 customers in Ontario were also obtained by the hackers, the company said.

The class action, which has yet to be certified, asks for more than $1.13-billion in compensation for LifeLabs’ clients, who they say experienced repercussions including damage to their credit reputation, wasted time and mental anguish.

“The Plaintiffs and the Class Members are therefore obliged to take all reasonable steps necessary to protect their information including hours of wasted time and inconvenience involved in applying for identity theft protection services, changing passwords, notifying financial institutions and applying for new social insurance numbers from Service Canada, as well as the humiliation and mental distress of having lab tests results released without their consent,” the statement of claim read.

The plaintiffs are also seeking additional punitive and moral damages.

LifeLabs chief executive Charles Brown apologized earlier this month for the breach, which led the company to pay a ransom to retrieve the data.

The company also assured the public that its consultants have seen no evidence that data from LifeLabs has been trafficked by criminal groups that are known to buy and sell such data over the internet.

The company did not immediately respond to a request for comment on Sunday.