Millions of Canadians affected by the LifeLabs cyberattack nearly four years ago could be eligible for a small piece — anywhere from $50 to $150 — of a proposed class-action settlement worth at least $4.9 million if approved by a court.
LifeLabs, which describes itself as , announced further details of the class action , linking to a separate webpage with additional information from .
Any Canadian resident who was a LifeLabs customer on or before Dec. 17, 2019 – the day the company announced it had been the target of a data breach – and whose personal information, including lab results, was accessed could receive a cash payment as part of the proposed settlement.
LifeLabs says the Ontario Superior Court of Justice will hold a hearing on Oct. 25 to potentially approve the settlement.
, LifeLabs would "not admit ... any allegation of unlawful conduct" or liability.
HOW MUCH COULD I RECEIVE?
If the court approves the settlement, LifeLabs will provide a guaranteed $4.9 million in compensation and potentially up to another $4.9 million depending on the number of claims, information provided by KPMG says.
In the end, members who make a valid claim can expect to receive about $50 — potentially more or less — up to a maximum of $150.
This will depend on the number of valid claims made as well as legal fees, the latter of which could be 25 per cent of the settlement plus other costs such as taxes.
Details provided by KPMG say that the lawyers involved do not get paid unless a court approves a settlement or makes an award following a trial.
WHAT WAS THE LIFELABS BREACH?
LifeLabs announced the data breach in December 2019, but the company said it discovered the cyberattack in late October.
At the time, LifeLabs said that as many as 15 million customers may have had their personal data accessed, mostly in Ontario and British Columbia.
As many as 85,000 Ontario customers with lab results from 2016 or earlier also were affected.
The company confirmed that it paid a ransom for the data, the amount of which was undisclosed.
"I'd like to say to our customers that we're sorry. We realize this may have shaken their confidence and we'll do everything we can to win it back," LifeLabs president and CEO Charles Brown told Â鶹ӰÊÓ at the time.
"We know that health data is important and we do take that responsibility quite seriously."
Following the hack, LifeLabs provided an update in saying that up to that point, no customer data had been released publicly.
detailing the proposed class action settlement also says that the data has not been sold on the dark web or been misused by anyone.
In June 2020, a joint investigation from the information and privacy commissioners of Ontario and B.C. concluded that LifeLabs .
LifeLabs later sought a court order to prevent the release of the privacy commissioners' full report, citing privileged and confidential information.
IF I'M AFFECTED, WHAT DO I DO NOW?
The class action itself includes about 8.6 million people, KPMG says, including about 132,000 people whose confidential test requisitions or results were stolen.
Affected customers have the option of participating in the settlement, staying in the class action and objecting to the settlement, or opting out.
Members who stay in the class action but are opposed to the terms of the settlement or the lawyers' fees can file a written objection to the court by Oct. 20. An email is listed on the KPMG website for those who wish to submit an objection.
Anyone who decides not to participate in the class action can opt out by Sept. 9 under a separate email address.
Although members who opt out will not be eligible for a claim under the settlement, they could bring their own lawsuit forward instead.
If the court approves the settlement, members of the class action will be given a 120-day period, starting in December, to submit a claim form.
Should the court decide not to approve the agreement, then the class action would continue.