Quest Diagnostics calls itself “the world’s leading provider of diagnostic information services.” LabCorp is also a global laboratory offering diagnostic services. Quest uses Optum360, LLC for billing collections, and both Optum and LabCorp use AMCA for collections. This means that when AMCA suffered an extended data breach, medical and personally identifying information (PII) for millions of people was exposed.
The class for this action is all individuals legally living in the US who used Quest’s or LabCorp’s services and gave PII to Quest or LabCorp, and whose PII was compromised as a result of the data breach.
AMCA, which actually suffered the data breach, is not a defendant in this case; instead, the defendants are Quest, LabCorp, and Optum.
The data breach was extensive. It lasted from August 1, 2018 and March 30, 2019.
However, Quest did not announce the hacking of patients’ PII until June 3, 2019. The complaint says that approximately 11.9 million patients’ information was exposed. This included financial information (such as credit card numbers and bank account information), medical information, and personal information (such as Social Security numbers).
LabCorp made its announcement on June 4, the day after Quest’s. It said that it had given AMCA information on some 7.7 million people. According to its announcement, the information exposed for its customers included personal information (such as full names and date of birth) and payment information (such as bank account or credit card numbers). It claims that it did not provide to AMCA any information on tests, lab results, or diagnoses.
The complaint claims that the data security failures were a foreseeable risk. Quest talked about its obligations to protect patient information in its Notice of Privacy Practices and mentioned data security as a risk in its most recent Form 10-K. It even admitted that the risk extended to its vendors and subcontractors, saying, “A breach or attack affecting these third parties could also harm our business, results of operations and reputation.” Furthermore, it had itself experienced a data breach in 2016.
Similarly, LabCorp spoke of the need for data security in its Notice of Privacy Practices. It also admitted that data breaches could harm it: “Security breaches and unauthorized access to the Company’s or its customers’ data could harm the Company’s reputation and adversely affect its business. And it had also experienced a cyberattack in 2018.
The complaint alleges that, given all this, the measures taken by the companies to safeguard data were insufficient. It alleges negligence and negligence per se and asks for declaratory and equitable relief.