The company that oversees the federal government’s $900 million settlement deal with members of the military who were sexually harassed in uniform has acknowledged more privacy violations.
Canada’s Epiq Class Action Service confirmed additional wrongdoing last week after a second veteran came forward to The Canadian Press to report having received emails containing personal details from a different plaintiff late last year.
France Menard said she decided to speak up after reading a Canadian Press report last month about Epiq accidentally sending the names, email addresses and claim numbers of dozens of other plaintiffs to fellow veteran Amy Green.
Epiq at the time said it had mistakenly disclosed “limited information” about less than 100 of the 20,000 people who had filed for compensation as part of a class action settlement to one other plaintiff.
“Obviously he’s not the only one,” Menard said in an interview from his home in Fredericton. “People are now wondering: Is my information out there?”
Information from dozens of plaintiffs disclosed
The Department of National Defense and attorney Jonathan Ptak, who represents several veterans and active members involved in the three lawsuits the government settled, said Epiq had confirmed three different privacy breaches.
That includes two violations reported by the company on February 8, when The Canadian Press first asked about information sent to Green, and another on February 24, when Epiq was asked about emails sent to Menard, which he received in November.
“We are aware of two incidents of unintentional disclosure affecting 91 class members that were previously reported in February and have just been notified of an additional unintentional disclosure involving one class member,” Ptak said in an email.
Epiq did not confirm the actual or suspected number of violations to The Canadian Press. But the company, which the Federal Court appointed to administer the November 2019 settlement deal, said it had launched a “widespread” investigation and was taking steps to prevent future problems.
“Epiq takes any issue related to data security very seriously,” Angela Hoidas, vice president of marketing and communications, said in a statement.
“While our investigation is still ongoing, we are communicating directly with our client, notifying plaintiffs we confirm to have been affected, and have implemented additional improvements to the existing process.”
Privacy commissioner notified
Information sent to Menard and Green consists of the names of individual plaintiffs as well as their claim numbers, which can be used to submit documents via a secure link on the class-action website.
Hoodas said the documents would then be reviewed by Epiq, and the individual files could not be accessed.
Menard and Green said they were dissatisfied with Epiq’s response, especially given the sensitive nature of the claims and the settlement agreement.
Both said they were now concerned about their own information having been released, and believed that the company had not provided the information it should have about the unintentional disclosure.
“They just want to pretend like it never happened,” said Green, who said he received personal information about 40 other plaintiffs last year. “How many people were affected? It is undeniable now more than myself. They’re up to three [breaches].”
Both said that despite the company’s request, they had refused to delete the emails they had received inadvertently until they were sure about the true scope of the privacy breach. Green said he was also seeking legal advice on his next steps.
The privacy commissioner’s office confirmed last week that it had received a report of a privacy breach, and is continuing to work with Epiq and the Department of Defense to obtain more information and determine next steps.
“Coffee aficionado nerd. Troublemaker. General communicator. Gamer. Analyst. Creator. Total brew ninja.”