Approximately 270,000 patients in southwestern Ontario find themselves embroiled in a legal battle as a $480-million class-action lawsuit emerges following a cybersecurity breach. The lawsuit, initiated by a patient of Sarnia’s Bluewater Health, alleges a breach of privacy rights, resulting in severe mental distress and loss of dignity among affected individuals.
Lawyer Mireille Dahab from Dahab Law, handling the class action, attributes the situation to negligence, emphasizing the leak of highly sensitive personal data for thousands of Ontarians. The breach, claimed by the Daixin Team responsible for a ransomware attack detected on October 23, targeted multiple health agencies, including Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Windsor Regional Hospital, and TransForm Shared Service Organization.
The lawsuit, filed in Sarnia on November 15, seeks $480,600,000 in damages and represents all Ontario residents who were patients at any of the five hospitals or had their data managed by TransForm, compromised by the cyberattack. Dahab mentioned that nearly all patients visiting these hospitals might have been affected as their information remained within the compromised systems.
The accused organizations have not submitted a statement of defense, with the allegations yet to be proven in court. While the hospitals refrained from commenting, they confirmed the significant breach at Bluewater Health, compromising more than 5.6 million records, including social insurance numbers for approximately 20,000 patients.
Despite hackers claiming the sale of the stolen data, cybersecurity analyst Brett Callow cautioned that such assertions might be speculative, aiming to pressure future victims into paying. The lawsuit also details potential crimes, including identity theft and fraud, while highlighting the mental distress suffered by affected patients due to the invasion of their highly sensitive personal information.
The statement of claim accuses the hospitals of inadequately safeguarding patient files and information stored in their systems, failing to meet the requisite standard of care. It asserts that the gravity of handling such sensitive data warrants a higher standard, dictated by industry practices, common law, and privacy legislation.
