Family services sued after personal info hacked, posted on Facebook

The Family and Children's Services of Lanark, Leeds and Grenville is being sued for more than $75 million after a hacker stole the personal information of 285 clients and people being investigated by the organization — and posted it on Facebook.

Confidential information posted on Smiths Falls Swapshop page earlier this week

An unknown hacker stole information from the Family and Children's Services of Lanark, Leeds and Grenville and then posted it online, according to a statement of claim filed in court. (The Associated Press)

The "highly sensitive" personal information of 285 clients and people being investigated by the Family and Children's Services of Lanark, Leeds and Grenville was stolen by a hacker and posted on Facebook due to "reckless" and "disgraceful" conduct of the organization, according to a $75-million class action lawsuit filed today.

The statement of claim, filed in Ontario Superior Court on behalf of a class action representative listed only as M.M., also names the organization's executive director, Raymond Lemay, Ontario Minister of Children and Youth Services Tracy MacCharles, the Crown and the hacker, identified only as John Doe.

'The damage has been done. That bell can not be unrung.'- Lawyer Sean Brown

The information — which was posted on the Smiths Falls Swapshop Facebook page earlier this week — came from an electronic report on the organization's new cases between April and November 2015 that had been stored on an online portal for board members, according to the statement of claim.

It was the organization's second information breach this year.

The defendants "violated industry standards" and "failed to heed warnings about the inadequate security" to protect the computer systems and website where the confidential information was being stored, according to the statement of claim. 

Toronto-based lawyer Sean A. Brown, who represents the plaintiff, called the information leak a "very serious breach of privacy" in an email to CBC News. 

"That institution made the decision to use an online portal system that was easily accessed by an individual without any obvious hacking skills. The most sensitive and confidential information held by that body, specifically the names of those under its investigation, have now been published on the Internet," he said.

"The damage has been done. That bell can not be unrung."

'We're very sorry' 

Raymond Lemay, the head of Family and Children's Services of Lanark, Leeds and Grenville, told CBC News that the organization has taken its website offline and is working to make sure information is secure.

The website's security was reviewed in February after "corporate information" was hacked but no client information was stolen at that time, Lemay said.

People are pretty upset with us.- Raymond Lemay

"We try to do the best we can, obviously, and in this case it wasn't good enough but at the same time we do depend on outside suppliers, outside experts to help us with this," Lemay said.

"The court process will determine whether there was negligence or not. I think that's the ultimate question."

​The provincial agency provides child welfare services to communities south and west of Ottawa, including Almonte, Brockville, Carleton Place, Gananoque, Kemptville, Perth and Smiths Falls.

Lemay apologized to all those whose personal information was leaked.

"It's a terrible situation. We're very sorry about that," he said, adding that the organization is "doing its best" to contact each individual to apologize directly.

Lemay said Thursday afternoon that he expects to be served the lawsuit today.

​"People are pretty upset with us. Some are angry. Some are sort of mortified by being on the list and all that. So I suspect that this is one way of seeking remedy for the situation so we sort of expected this. We thought that this was certainly a possibility," he said. 

Long list of damages

The defendants are accused of negligence, breach of fiduciary duty and breach of confidence.

The statement of claim further accuses the defendants of failing to immediately notify those whose personal information was leaked.

Lemay said he became aware of the leak only after the information was posted to Facebook, and immediately tried to have the post removed by contacting the person believed to be behind it. The next step was to compile a list of those whose information was leaked and contact them, he said.

"I think under the circumstances, it would have been very difficult to do it any quicker," he said.

The claim calls for $25 million in general damages, $25 million in special damages, $25 million in punitive damages as well as costs. 

According to the claim, the plaintiff and class members suffered:

  • Costs to ensure personal and financial security.
  • Mental distress.
  • Damage to reputation.
  • Loss of employment and/or reduced capacity for employment.
  • Humiliation, inconvenience, frustration and anxiety.

None of the claims has been proven in court.

Read the full statement of claim here.