Recently, a number of data breaches have occurred at places that store personal medical information. This case brings suit against Laboratory Corporation of America and its parent company, Laboratory Corporation of America Holdings, both of which go by the name of LabCorp. However, the data breach did not involve LabCorp’s systems but those of its debt collector, which is not named as a defendant in this case.
The class for this action is all persons in the US who used LabCorp’s services and whose Sensitive Information was maintained on AMCA’s system which was compromised in the data breach announced by LabCorp on June 3, 2019.
LabCorp is a major provider of medical diagnostic testing. It performs tests directly on patients and also takes patient samples from doctors for testing.
When patients do not pay for the tests within the required period of time, LabCorp passes their information on to its chosen debt collector, American Medical Collection Agency, Inc. (AMCA). AMCA then files that information in its own systems. The data breach in question in this case took place on AMCA’s systems.
LabCorp announced the data breach via a Form 8-K filing with the Securities and Exchange Commission (SEC). “According to AMCA, this activity occurred between August 1, 2018 and March 30, 2019…. LabCorp has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system.”
The data exposed during this extended period of time included credit card numbers, bank account information, medical information, health information protected by the Health Insurance Portability and Accountability Act (HIPAA), and other information.
The complaint alleges, “LabCorp failed to properly monitor its vendors to ensure that proper data security safeguards were being implemented by those vendors throughout the breach period so as to properly safeguard class members’ Sensitive Information. Had LabCorp properly monitored its vendor’s systems, it would have discovered the intrusion much sooner than eight months after the breach began.”
LabCorp’s Notice of Privacy Practices says that the company is “committed to the protection of your [Private Health Information] and will make reasonable efforts to ensure the confidentiality of your PHI…” The complaint quotes the Notice as further promising, “All of our business associates are required to maintain the privacy and confidentiality of your PHI.”
Data breaches lead to identity theft. The complaint counts off a nerve-wracking variety of scenarios: “opening new financial accounts…, taking out loans…, …obtain[ing] medical services, obtain[ing] government benefits, filing fraudulent tax returns …, obtaining driver’s licenses …, and giving false information to police during an arrest.”
Counts include negligence, negligence per se, breach of implied contract, and breach of fiduciary duty, among other things.