CarePartners Privacy Breach Class Action Lawsuit Canada

Privacy Breach Class Action Lawsuit Launched Against CarePartners

Howie, Sacks & Henry LLP, Waddell Phillips PC and Schneider Law Firm joined forces to launch a class action lawsuit against CarePartners arising out of a cyber-attack in June 2018.

The CarePartners privacy breach class action lawsuit seeks compensation on behalf of current and former CarePartners patients and staff in Canada whose personal information was implicated in the cyber-attack. The action alleges that cyber hackers were able to exploit CarePartners’ inadequate and outdated security systems to access CarePartners’ computer network and as a result the personal information of patients and staff held in that system was inappropriately accessed by the hackers.

The personal information included detailed medical records, financial information, and contact information, along with information about patients’ daily lives, workplaces, families and homes.


To submit an electronic claim, please visit the Claims Administrator’s website at the link below and follow the steps:

A Settlement Has Been Reached

The parties have negotiated a settlement of this proposed class action.  A copy of the Settlement Agreement can be viewed here.

The settlement was approved by the court on March 2, 2022.

The Terms of the Settlement

CarePartners has agreed to pay up to $3.44 million to fully and finally settle the action, all inclusive. The Class will provide CarePartners with a full and final release in return.

The total amount paid by CarePartners will be based on the total number of people whose data was taken from CarePartners’ computer systems and then provided to the CBC by the hackers. The CBC has reported that it may have received the data of up to 80,000 individuals. If the data released to the CBC pertains to fewer than 45,000 individuals, then the settlement total will be reduced to $2.44 million.

The amount paid to each qualifying class member will depend on the total number of affected class members, and how many people make a claim. We estimate the payment will be at least $25 per person.

The CBC has not released any of the data produced by the hackers (although CBC reporters did review the data), and has kept the information in a secure, off-line location.

What Happens Next

Once all the Affected Class Members have been identified in the CBC data, then a notice will be sent to the last known address for every individual who is identified to have had their personal information included in the data produced to the CBC (the “Affected Class Members”). Only Affected Class Members will be entitled to claim a portion of the settlement fund. The settlement fund will be divided equally among all Affected Class Members who submit a claim before a deadline that will be set by the court. Details about how to submit a claim and the claim deadline will be included with the notice sent to the Affected Class Members.

If you fall within the class definition, and you do not wish to be included in this class action, then you can “opt out”. To opt out – send an email or letter to the Claims Administrator:

Trilogy Class Action Services c/o CarePartners Class Action Settlement
117 Queen Street, PO Box 1000,
Niagara-on-the-Lake ON L0S 1J0

If you want more information about the settlement, we would be pleased to speak with you or send you an email. please contact our team at 1-877-771-7006 or email Paul Miller directly at


The Facts

CarePartners is one of Ontario’s largest private healthcare services providers. It specializes in providing out-of-hospital care to patients at their homes, schools, or workplaces, including personal support care, nursing care, rehabilitation care, caregiver support and palliative care. CarePartners provides its services to patients primarily as a partner of Ontario’s Local Health Integration Networks and runs its own network of clinics.

At the time of the cyber-attack, CarePartners had provided services to approximately 237,000 patients, and held substantial amounts of sensitive personal health information for each one of those patients, as well as personal information for its over 4,500 staff and contract workers.

On June 11, 2018, hackers informed CarePartners that they had accessed the CarePartners network and extracted data from its servers. The hackers attached a sample of CarePartners’ patient and employee data, which CarePartners verified to be authentic data that had resided on its servers. The hackers demanded undisclosed amounts of money from CarePartners as a ransom in exchange for the hackers not posting or selling the data online. CarePartners did not pay the ransom, and the hackers began approaching media outlets regarding the breach, which included providing CBC News reporters with access to a large sample of the stolen data.

CarePartners did not provide individuals affected by the cyber-attack with direct notice that the attack had occurred until after the CBC News report. The notice that was provided did not explain how the breach occurred, the scope of the data that was stolen, or what efforts CarePartners made to recover the data. To date, CarePartners has not provided affected individuals with any details regarding these important issues.

The Law

According to the law, CarePartners owes a duty of care to its patients and staff and is obliged to maintain confidentiality and protect the privacy of its patients and staff’s personal information.

Every patient and staff of CarePartners has the reasonable expectation that their right to privacy and confidentiality will be respected. That means their personal information will not be disclosed to the public or to any unauthorized individuals without their express consent. It also means that CarePartners will have appropriate safeguards to protect against a cyber-attack and to limit the exposure even in the case of a successful cyber-attack.

The Canadian CarePartners privacy breach lawsuit alleges that through CarePartners’ failure to have proper security protections in place to protect the highly sensitive information of its patients and staff, those expectations were not met, and that CarePartners breached the privacy rights of its patients and staff.

The Proposed Class Proceeding

This proposed CarePartners privacy breach class action lawsuit is brought in Canada on behalf of all persons, excluding CarePartners’ senior executives, officers and directors, whose personal information was accessed in the cyber-attack and produced to the CBC. The claim alleges that CarePartners is liable for breach of privacy, breach of contract, negligence, and various breaches of various statutes.

Contact Us

If you are a current or former patient, employee, or contractor of CarePartners, you may be eligible for compensation for the damages you suffered due to the cyber-attack. To identify yourself as a potential member of the CarePartners privacy breach class action lawsuit in Canada and for more information, please contact our team at 1-877-771-7006 or email Paul Miller directly at There is no cost to you to participate as a class member in this proposed class action. The lawyers are working on a contingency fee arrangement, and will only be paid from the proceeds of the litigation, if it is successful.

News Coverage

Among the best in Canada

Since 2011, our peers have consistently voted for us as one of Canada’s top personal injury firms in Canadian Lawyer magazine’s annual rankings of the top personal injury boutiques in Canada.

Howie, Sacks & Henry LLP – Award – Canadian Lawyer Magazine