The companies were the target of a cyberattack that extracted personal information that included names, addresses, dates of birth, health diagnoses and conditions, heights, weights, phone numbers, email addresses, medical histories, medical prescriptions, financial records and SINs, according to the statement of claim.
It was alleged that this was caused by the defendants’ failure to properly secure and safeguard the class members’ “highly sensitive personal, financial and health information” from criminal hackers. The full extent of the breach was said to not yet be known.
Cencora, a U.S.-based company, provides medical products and services to patients and health-care providers, operating in 1,300 locations in 50 countries. It learned that it was subject to a hack on Feb. 21 and notified the affected individuals on May 17. Innomar Strategies is Cencora’s Canadian affiliate, collecting patient information to provide medication.
The claim alleged that class members “continue to be at significant risk of identity theft and various other forms of personal, social, and financial harm” and that the company had “declined to describe what led to the data breach, such as whether the incident was caused by malicious hackers or a security lapse within the organization.”
It said the delayed communication of the breach and the possibility of cross-referencing with other data breaches significantly elevated the risk to class members, continuing on to say that there is a significant resale market for medical information as it is used to supplement other records used for identity theft.
Innomar was alleged to have transferred class members' personal information to the Cencora servers in the United States where it was hacked, with the purpose of the transfer being unknown to the plaintiffs, who are pleading that Innomar failed to obtain any consent, regardless of whether it was meaningful, from class members when the data was transferred to another company.
It was alleged to have intentionally or recklessly failed to destroy class members’ personal information when it was no longer needed, and that it knowingly or recklessly made materially false or misleading representations regarding the state of their cyber-security to the public.
The proposed class action said the defendants were involved in negligence and statutory torts for privacy violations and brought forth consumer protection claims and Competition Act claims.
It seeks a declaration that the defendants breached the Personal Information Protection and Electronic Documents Act (PIPEDA), provincial personal health information legislation, the Consumer Protection Act and the Competition Act.
It further seeks a declaration that the defendants owed a duty of care to the class and that both defendants breached their contracts with the class. General and special damages are being sought, along with an order for an aggregate assessment of damages and punitive damages.
According to the claim, the class were said to have suffered mental distress, humiliation, anguish, stress, anxiety and out-of-pocket expenses to protect themselves from fraudulent activities, which included payments for additional credit monitoring.
The action was filed in the Supreme Court of British Columbia on Oct. 30 on behalf of all Canadians whose personal information was compromised in the breach.
If you have information, story ideas or news tips for Law360 Canada on business-related law and litigation, including class actions, please contact Anosha Khan at anosha.khan@lexisnexis.ca or 905-415-5838.