When a company selects and hires other companies to provide services, such as debt collection, is it responsible for the care they take with sensitive information? The complaint for this class action names Quest Diagnostics Incorporated as a defendant, as well as its vendors Optum360, LLC and American Medical Collection Agency, in a class action that concerns a data breach at American Medical.
The Nationwide Class for this action is all persons in the US whose sensitive information was in AMCA’s systems, which were compromised in the breach announced by Quest on June 3, 2019. There is also an Alabama Subclass.
The Factual Allegations section in the complaint begins with the statement, “Quest is the world’s leading provider of medical diagnostic testing services.”
In a public filing with the Securities and Exchange Commission (SEC) on June 3, 2019, Quest admitted that a company it had hired had experienced a data breach. The complaint quoted the Form 8-K as saying, “On May 14, 2019, American Medical Collection Agency (AMCA) notified Quest … and Optum360 LLC, [Quest’s] revenue cycle management provider,” of a data breach that exposed the personal information of nearly 12 million Quest patients.
It went on to say that “between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA had collected itself” which included credit cards numbers, bank information, medical information, Social Security numbers, and other personal data.
In other words, hackers had had access to patients’ personal information for seven months, but Quest did not provide the victims with any notice of it until nearly a year after the exposure started. And even then, the only notice Quest provided to victims was the SEC filing.
The complaint claims that in its Notice of Privacy Practices, Quest admits that it is subject to the Health Insurance Portability and Accountability Act (HIPAA) and says it is “committed to protecting the privacy of [patients’] identifiable health information.”
Again, the complaint quotes Quest as saying, “We may provide your PHI to other companies and individuals that need the information to provide services to us. These other entities, known as ‘business associates,’ are required to maintain the privacy and security of [Private Health Information, known as] PHI.
The complaint alleges negligence, wantonness, breach of contract, and violations of New York’s General Business Law.