LabCorp, a leading healthcare diagnostics company that offers laboratory and genetics testing services, has been sued by one of its shareholders to recover share value losses caused by two data breaches suffered by LabCorp within the last twelve months. In this cybersecurity lawsuit, the shareholder, Raymond Eugenio, seeks money damages as well as public acknowledgment by LabCorp that the second of the two breaches took place.
What Does the Cybersecurity Lawsuit Allege?
The cybersecurity lawsuit, filed against LabCorp, as well as its directors and executives, seeks public acknowledgment that the second of the two data breaches occurred.
This second breach took place in January of 2020, the lawsuit alleges. As a result of a website misconfiguration, 10,000 company documents, some of which contained protected health information (PHI), became publicly viewable. This incident was reported by TechCrunch, an online publisher focusing on the tech industry.
According to the lawsuit, this breach was neither publicly disclosed nor mentioned in any required filings with the Securities and Exchange Commission (SEC), nor is the breach listed in the HHS breach reporting tool, even though patient data was involved. Under the HIPAA Breach Notification Rule, covered entities, including healthcare providers and labs, must notify the HHS Secretary if a breach of unsecured protected health information is discovered. Notifications must be submitted through the reporting tool. LabCorp, the lawsuit alleges, also failed to notify affected individuals of the breach.
The January 2020 breach comes shortly after LabCorp became a victim of the largest healthcare data breach of 2019 – the American Medical Collection Agency (AMCA) breach. That breach affected about 7.7 million LabCorp patients.
As a result of both of these incidents, the cybersecurity lawsuit alleges, shares of LabCorp have lost value. The cybersecurity lawsuit, which alleges that LabCorp’s cybersecurity measures have been “historically and persistently deficient,” claims that LabCorp failed to implement adequate procedures and oversight that directly resulted in the breaches.
The cybersecurity lawsuit also alleges that LabCorp was on notice of longstanding security problems. In July 2018, LabCorp suffered a ransomware attack that potentially exposed the data of millions of patients, after hackers gained access to over 10,000 LabCorp workstations. Despite this, the lawsuit alleges, LabCorp failed to put a data breach response plan into place and failed to develop and implement an effective internal control system. The lawsuit alleges LabCorp even failed to monitor compliance with what internal procedures it did have.