Quest Diagnostics Incorporated is one of the leading medical laboratory services company in the country. But it subcontracted collection work to a company called Optum360, LLC, which in turn subcontracted work to Retrieval-Masters Creditors Bureau, Inc. (RMCB). The result? The personal information of Quest customers was exposed in a data breach at a company they had never entrusted with their information.
The Nationwide Class for this action is consumers in all states who used the medical lab services of Quest during the statutes of limitation and whose information was shared with Optum and RMCB. State classes have also been proposed for New Hampshire, Connecticut, New York, Illinois, North Carolina, Ohio, Massachusetts, Vermont, and California.
According to the complaint, “The personal information was disclosed due to the actions of RMCB…” It was exposed from roughly August 2018 to March 2019. Although the companies found out about it in March or April 2019, the complaint says they only recently informed class members. (The action was filing on June 4, 2019.)
The information included “personal, financial and bank account information” although “it is uncertain whether … sensitive and HIPAA-protected medical information was compromised…” However, the complaint alleges that cyber-thieves will likely be able to determine which tests were performed on customers without exerting much effort.
Unfortunately, many people “did not have a choice to use defendant Quest’s services, since it is the largest lab services provider in the country and often the only provider in many areas.” The complaint believes the company bears some responsibility because it did not “implement third-party safeguards and quality-control mechanisms” to protect the information.
In fact, the complaint says, “This failing was due to strict requirements that defendant Quest select the billing providers that committed to the lowest cost for servicing accounts.” This search for the lowest costs for Quest, the complaint says, “has resulted in a higher cost being imposed on plaintiff and class members.” The complaint holds all three companies liable for the data breach and its consequences.
The complaint alleges that if the companies had taken “reasonable, industry-standard steps and followed ‘best practices,’” either the data breach would not have occurred or it would not have lasted so long, so that the customers involved would have been less damaged.
Among its counts, the complaint lists violations of state consumer protection laws, breach of contract, negligence, negligence per se, and unjust enrichment.