LifeLabs Facing Multiple Class Action Lawsuits After Privacy Breach

In June, privacy commissioners in British Columbia and Ontario found that LifeLabs, the largest laboratory testing company in Canada, breached millions of customers’ privacy by failing to secure the proper defenses in order to keep personal health data safe. 

A cyber attack threatened the company’s stored data in October 2019, violating up to 15 million Canadian’s health information. Cyber attackers allegedly burglarized LifeLabs’ data collection, which included patients’ names, addresses, email addresses, login and password information, birthdates, and health card numbers.

More than a third of all laboratory tests in British Columbia are carried out by LifeLabs. The company compiles deeply private identifiable client information in addition to health information and health services received by the patient. 

In December, LifeLabs acknowledged the cyber attack and announced that clients’ private health data had been violated in an open letter. In this letter, LifeLabs admitted that not only did hackers retrieve clients’ personal data but they had also paid a ransom to the cyber attackers.

The privacy commissioners found that LifeLabs neglected to take suitable actions to protect customers’ personal health information, did not have acceptable security policies, and the company stored more patient personal health data than necessary.

A number of Class action lawsuits have been launched against LifeLabs for the many indiscretions made by the company. 

One of those recent claims involved lead plaintiff Vincent Gogolek who is filing the LifeLabs class action lawsuit on his own behalf and on behalf of Class Members, defined as: “all persons residing in Canada whose Personal Information was stored on computer systems in the control of the LifeLabs Group that were compromised or accessed by unauthorized persons before December 17, 2019.” 

The proposed LifeLabs class action lawsuit states that The Lifelabs Group acknowledged several things that went against the data breach. Namely, that safeguarding the privacy and security of personal information was essential to its virtues, that the company was responsible for protecting data, and that its standards require security measures that defend against theft and unauthorized access. 

However, the class action lawsuit alleges that LifeLabs failed to meet the following standards and requirements, which resulted in the security breach:

• Storing unencrypted personal information
• Storing usernames and passwords without salting and hashing
• Failing to use network segmentation and segregation
• Declining to do consistent back-ups 
• Not installing security patches and other software updates
• Refraining from training employees to deal with phishing and other cyber attacks
• Failing to delete and eradicate stored personal information after there was no longer a reason to keep it

On top of these procedural failures, the LifeLabs class action lawsuit alleges the company did not inform Vincent following the data breach. According to the LifeLabs class action lawsuit, he was not addressed by Lifelabs Group about the security breach, by postal service, courier or email, although he had the same address since July 2012 and the same email address for more than 20 years. Vincent learned about the data breach and open letter only from media coverage. He then claims he contacted the company and was given information about receiving credit monitoring services. 

The  LifeLabs class action lawsuit also alleges that LifeLabs has had a previous cyber attack, which did not result in taking precautions to prevent them in the future. In January 2013, Lifelabs Group endured a security breach that violated the personal information of 16,000 of its customers in Kamloops, British Columbia. This incident alleges that Lifelabs Group knew they were susceptible to being hacked, but they failed to take measures to protect patient information.

Vincent was a LifeLabs patient, having received medical diagnostic laboratory testing services since approximately 2002. He received services from the Lifelabs Group as recently as May 2019.

The privacy breach class action lawsuit claims that Vincent and other Class Members are seeking relief due to the following wrongdoings by Life Labs: 

• The defendants owed a duty of care to the Plaintiff and Class Members in the collection and safeguarding of their personal information
• The security breach was a result of the defendants violating the standard of care required of them
• The security breach was due to breaches of contracts with the plaintiff and class members
• The defendants intruded upon the seclusion of the plaintiff and class members
• The defendants breached the confidence of the plaintiff and class members
• The defendants were deceitful to the plaintiff and class members
• The defendants were unjustly enriched, to the deprivation of the plaintiff and the class members. 
• Restitution for unjust enrichment and waiver of tort
• Punitive damages
• Pre- and post-judgment interest

As a result of LifeLabs’ alleged negligence, Vincent and Class Members seek damages for mental distress, wasted time, inconvenience, and expenses. 

Were you one of the 15 million Canadians whose personal information was breached by LifeLabs? Do you plan to join a class action lawsuit? Why or why not? Tell us your story in the comment section below!

The plaintiff is represented by Jamie Thornback of Camp Fiorante Matthews Mogerman LLP.

The LifeLabs Privacy Breach Class Action Lawsuit is Vincent Gogolek v. LifeLabs Inc., et al., Case No. VLC-S-S-203526, in the Supreme Court of British Columbia, Canada.

Read More Class Action Lawsuit & Settlement News:

Long Term Disability Lawyer | Insurance Claim Denial Help

Canada Roundup Glyphosate Cancer Class Action Lawsuit Investigation

Cargill Meat-Packing Plant Faces Class Action Lawsuit After Deadly COVID-19 Outbreak

Canada Reimbursing Workers Impacted by Phoenix Pay System