Schneider Law Firm, along with Waddell Phillips Professional Corporation and Howie, Sacks & Henry LLP, have launched a proposed class action in relation to a privacy breach that was announced by CarePartners in June 2018.
The claim alleges that cyber attackers were able to exploit CarePartners’ inadequate and outdated security systems to access CarePartners’ computer network and extract data containing the personal information and personal health information of hundreds of thousands of CarePartners patients and staff (the “Breach”). The compromised information includes detailed medical records and financial information, as well as contact information, and information about patients’ daily lives, workplaces, families, and homes.
This proposed class action is brought on behalf of all persons, excluding CarePartners’ senior executives, officers and directors, and unionized staff, whose Personal Information and/or Personal Health Information was accessed in the Breach. The claim alleges that CarePartners is liable for breach of privacy, breach of contract, negligence, and various breaches of various statutes.
There is no cost to participate in this class proceeding. The lawyers are working on a contingency fee arrangement, and will only be paid from the proceeds of the litigation, if successful.
The Cyber Breach at CarePartners
CarePartners is one of Ontario’s largest private healthcare services providers. It specializes in providing out-of-hospital care—including personal support care, nursing care, rehabilitation care, caregiver support, and palliative care—to patients at their homes, schools or workplaces. CarePartners provides its services to patients primarily as a partner of Ontario’s Local Health Integration Networks (“LHINs”), although it also runs its own network of clinics. In total, CarePartners had provided services to approximately 237,000 patients at the time of the Breach.
To carry out its work, CarePartners collects a large quantity of sensitive personal information, including personal health information, from its patients and their families, as well as sensitive personal information, including personal financial information, from its over 4,500 staff and contract workers.
On June 11, 2018, hackers informed CarePartners that they had penetrated CarePartners’ computer network, and used their unauthorized access to extract virtually all of the data on their servers dating back to 2010. They provided a sample of the stolen data to accompany their claim (which CarePartners verified as authentic), and demanded an undisclosed amount of money as ransom in exchange for not posting the stolen data online. CarePartners did not pay the ransom, and the hackers began approaching media outlets regarding the Breach, which included providing CBC News reporters with access to a large sample of the stolen data, which CBC News reported on here.
CarePartners did not provide individuals affected by the Breach with direct notice that the Breach had occurred until after the CBC News report. The notice that was provided did not explain how the Breach occurred, the scope of the data that was stolen, or what efforts CarePartners made to recover the data. To date, CarePartners has not provided affected individuals with any details regarding these important issues.
A Settlement Has been Reached
The parties have negotiated a settlement of this proposed class action. A copy of the Settlement Agreement can be viewed here.
The Terms of the Settlement
Under the terms of the settlement, CarePartners will pay up to $3.44 million to fully and finally settle the action, all inclusive. In return the Class will provide CarePartners with a full and final release. The total amount that CarePartners will pay will depend on the total number of individuals whose data was taken from CarePartners’ computer systems, and was produced to the CBC as part of the hackers’ attempt to extort a ransom from CarePartners. CBC reported that as many as 80,000 individual’s data may have been produced. If fewer than 45,000 individuals are identified from the data released to CBC, then the total amount of the settlement will be reduced to $2.44 million.
The total amount that will be paid to qualifying Class Members will depend upon the total number of affected Class Members, and how many affected Class Members make a claim. The payment is estimated to be no less than $25 per person.
None of the data produced to CBC has been released by it, and the data has been kept in a secure, off-line location; but the data was reviewed by CBC reporters.
No money is being paid out yet. The action must first be certified and the settlement approved.
What Happens Next
The settlement has been approved by the court and a notice has been sent to the last known address for every individual who is identified to have had their personal information included in the data produced to the CBC (the “affected class members”). Only affected class members are entitled to receive a portion of the settlement fund. The settlement fund will be divided equally among all qualified class members who submit a claim before January 11, 2023. Details about how to submit a claim and the claim deadline can be found in the notice sent to the qualified class members. If you do not wish to be included in this class action, details about how to “opt out” are also contained in the notice.
To submit an electronic claim, please visit the Claims Administrator’s website at the link below and follow the steps: https://portal.carepartnersprivacybreach.ca/
If you want more information about the Settlement, we would be pleased to speak with you. Please email email@example.com.
If you are a current or former patient, non-unionized employee, or contractor of CarePartners, you may be eligible for compensation if the action is successful. For more information, or to ensure that you are provided with important notices about the class action as it progresses, please contact Adam Warner at Schneider Law Firm. Your information will be kept strictly confidential and will be used only to communicate with you, and to assist with the prosecution of the action.