The company overseeing the federal government’s $900 million settlement deal with military members who experienced sexual misconduct in uniform has admitted to more privacy breaches.
Epiq Class Action Services Canada confirmed the additional errors last week after a second veteran came forward to The Canadian Press to report having received an email containing the personal details of a different claimant late last year.
France Menard said she decided to speak up after reading a Canadian Press report last month about Epiq having inadvertently sent fellow veteran Amy Green the names, email addresses and claim numbers of dozens of other claimants.
Epiq at that time said it had mistakenly disclosed “limited information” about fewer than 100 of the 20,000 people who have applied for compensation as part of the class-action settlement to one other claimant.
“Obviously she’s not the only one,” Menard said in an interview from her home in Fredericton. “People now are wondering: Is my information out there?”
Information of dozens of claimants disclosed
The Department of National Defence and lawyer Jonathan Ptak, who represents some of the veterans and active service members involved in the three lawsuits settled by the government, said Epiq has since confirmed three different privacy breaches.
Those include two breaches reported by the company on Feb. 8, when The Canadian Press first asked about the information sent to Green, and another on Feb. 24, when Epiq was asked about the email sent to Menard, which she received in November.
“We are aware of the two incidents of inadvertent disclosures that affected 91 class members which were reported about earlier in February and have just been made aware of an additional inadvertent disclosure involving one class member,” Ptak said in an email.
Epiq did not confirm the number of actual or suspected breaches to The Canadian Press. But the company, which the Federal Court appointed to administer the November 2019 settlement deal, said it has launched an “extensive” investigation and taken steps to prevent future issues.
“Epiq takes any issues associated with data security very seriously,” said Angela Hoidas, vice-president of marketing and communications, in a statement.
“Even as our investigation remains ongoing, we are communicating directly with our clients, notifying claimants we confirm have been affected, and have implemented additional enhancements to existing processes.”
Privacy commissioner informed
The information sent to Menard and Green consists of the names of individual claimants as well as their claim numbers, which can be used to submit documents through a secure link on the class-action website.
Hoidas has said such documents would then be reviewed by Epiq, and that individual files cannot be accessed.
Menard and Green say they are unsatisfied with Epiq’s response, particularly given the sensitive nature of the claims and settlement deal.
Both say they are now worried about their own information having been released, and believe the company has not been as forthcoming as it should be about the inadvertent disclosures.
“They just want to pretend like it never happened,” said Green, who said she received personal information about 40 other claimants last year. “How many people are affected? It’s undeniable that it’s more than just myself now. They’re up to three [breaches].”
Both said that despite the company’s requests, they have declined to delete the emails they inadvertently received until they are confident about the true scope of the privacy breach. Green said she has also sought legal advice on next steps.
The office of the privacy commissioner confirmed last week that it had received a privacy breach report, and was continuing to work with Epiq and the Defence Department to obtain more information and determine next steps.