This class action lawsuit claims that Quest Diagnostics failed to safeguard its clients’ Protected Health Information (PHI) including laboratory test results and Personal Identifying Information (PII), and that Quest Diagnostics failed to provide timely, accurate, and adequate notice to its clients that their private information had been stolen. PII includes names, dates of birth, and phone numbers.
One plaintiff in this lawsuit, Grant Morrow, is a resident of St Petersburg, Florida. On December 12, 2016, Morrow received a letter from Quest Diagnostics that his private information was accessed by unauthorized persons. As a result of the breach and the increased risk of identity theft cause by the breach, Mr. Morrow enrolled in an identity theft protection service at a monthly cost of $14.95.
Quest Diagnostics provides many services including allergy and Asthma testing, HIV testing, Ovarian Cancer screening, Breast Cancer screening, Celiac Disease screening, Colorectal Cancer screening, and more. They use the MyQuest by Care360 Internet application to give patients access to different applications and test results. This website has a variety of PHI that users would not want being disclosed. MyQuest by Care360 is also marketed to physicians who subscribe to the program.
Despite the fact that it was storing sensitive private information that it knew was valuable and vulnerable to cyber attackers, Quest failed to take adequate measures that could have protected users’ private information. On December 12, 2016, Quest announced that on November 28, 2016 it became aware that it had suffered a data breach. An unauthorized third party accessed its MyQuest by Care360 application, obtaining the PHI of approximately 34,000 patients.
Based on the facts of the case, the plaintiffs allege the following violations: