DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

High court upholds damages in ICBC privacy breach that resulted in shootings, arson

Posted on April 24, 2025April 23, 2025 by Dissent

Long-time readers may recall a truly frightening insider breach at the Insurance Corporation of British Columbia (ICBC) that resulted in cases of arson and people being shot at. The breach was first disclosed in 2011. An employee had reportedly accessed personal information on 65 people. We would later learn that Candy Elaine Rheaume had accessed personal information on 78 people and sold information on 45 of them to gang members. Thirteen of them wound up having their homes or vehicles set on fire, or they were shot at. Unsurprisingly, a lawsuit against ICBC was filed.

In June 2024, the court found for the plaintiffs and awarded them each $15,000. ICBC appealed. Now Jeremy Hainsworth reports that the chief justice of B.C. has dismissed ICBC’s appeal:

“Where—as here—the breach is serious, deliberate, and for an improper purpose, it is entirely open to a judge to conclude more than technically nominal damages are required to compensate for the intrinsic damage to the privacy rights of the plaintiff,” B.C. Court of Appeal Chief Justice Leonard Marchand said in his April 23 decision.

The decision, concurred with by two other justices, said the public insurer had been found vicariously liable for a serious breach by Candy Elaine Rheaume of the privacy of a number of its customers and others.

Read more at Vancouver is Awesome.

The Canadian Press provides some additional details, including that the insurer wanted the court to award only “nominal” damages of $500 each. ICBC had argued that the $15,000 amount was too high because “consequential harm” to individual class members has yet to be proven, and is still before the court to decide.

Reading the court’s decision makes it clear that the damages award is solely for the breach of their privacy interests. The $15,000 does not include any compensation for damages to homes, vehicles, or other forms of harm the plaintiffs might have suffered. From the chief justice’s decision:

[70]         The aggregate damages award made by the judge provides compensation for the injury to the class members’ privacy interests and is responsive to the seriousness of the defendant’s misconduct. It provides no compensation for any mental distress, upset, property damage, loss of income, loss of opportunity, or any other kind of consequential harm that may have been suffered by the members of the plaintiff class.

[71]         It remains open, at the individual issues phase of the litigation, for any class member who has suffered consequential pecuniary or non-pecuniary harm beyond the simple fact of the breach to prove that loss and have appropriate compensation assessed. Of course, at that stage, the judge must be careful to ensure there is no double compensation.

[72]         The only questions left to be addressed are what kinds of purely consequential harms the class members have suffered, and what damages are required to make them whole.

Related posts:

  • Ca: Victim of arson spree questions ICBC’s handling of privacy breach
Category: InsiderNon-U.S.Of Note

Post navigation

← County auditor ordered to pay $80k after cyberattack
HHS Office for Civil Rights Settles Phishing Attack Breach with Health Care Network for $600,000 →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.