Send this page to someone via email

A day after LifeLabs announced a data breach that potentially impacts up to 15 million Canadians, one of those patients is taking the company to court in a proposed class-action lawsuit.

In a notice of civil claim filed in B.C. Supreme Court Wednesday, Kenneth Morrison argues LifeLabs breached the contract it signs with all customers to keep their private information secure and confidential.

Morrison, a retired Vancouver computer technician who has been a customer since 2014, claims the company “failed to treat privacy and security as its top priorities” and did not take proper care to protect the private information from a breach.

“As a result of the storage breach, the [customers], including the plaintiff, have been exposed to a real and substantial risk of identity theft, cybercrime, phishing, extortion and further disclosure of their highly sensitive medical information,” the lawsuit reads.

Story continues below advertisement

The lawsuit is open to any B.C. resident who was a customer of LifeLabs before Dec. 17, 2019.

Morrison’s lawyer, David Aaron, declined to comment on the case or on whether anyone else has signed on to the lawsuit.

LifeLabs has 21 days to file a response to the lawsuit’s claims, which have not been proven in court.

3:12 LifeLabs data breach could impact up to 15m customers LifeLabs data breach could impact up to 15m customers

The company, which performs medical lab tests, apologized for the security breach in a statement, adding that it was first discovered several weeks ago.

Compromised information includes health card numbers, names, email addresses, logins, passwords and dates of birth.

While the company is still determining exactly how many people were affected, it said the majority are from Ontario and B.C.

Story continues below advertisement

The company said it hired cybersecurity experts to secure the system and determine the scope of the attack, and paid an undisclosed amount of money as ransom to secure the information.

Morrison’s lawsuit claims LifeLabs’ contract with its customers includes a promise that personal information will be destroyed or deleted “as soon as it is reasonable to assume” that the information is no longer needed.

The lawsuit argues LifeLabs failed to keep that promise, and was “reckless in its conduct amounting to the storage breach.”

3:24 Cyberattack compromises data of 15 million LifeLabs customers Cyberattack compromises data of 15 million LifeLabs customers

“At all material times, LifeLabs owed [customers], including the plaintiff, a common law duty of care with respect to the secure storage of the personal information to prevent unauthorized access, collection, use, disclosure and copying,” the lawsuit reads.

Story continues below advertisement

“Given the sensitivity of the personal information, [LifeLabs] should have had the strongest encryption and security measures in place and should have been diligent with respect to the destruction of personal information where retention was not longer necessary or permitted.”

Morrison is seeking an untold amount in damages for himself and anyone else who signs on to the suit.

The company has set up a phone line specifically to handle related inquiries.

LifeLabs also said Tuesday that customers concerned about the safety of their data will be able to receive “one free year of protection that includes dark web monitoring and identity theft insurance.”

—With files from Maham Abedi