Quest Diagnostics subsidiary, ReproSource Fertility Diagnostics has been sued by a patient over alleged security deficiencies. The Quest data breach lawsuit was filed one month after the October 8, 2021 announcement of a ransomware attack that potentially exposed the protected health information (PHI) of 350,000 individuals.
Details of the Quest Data Breach Lawsuit
According to the notification provided by ReproSource, the company’s network was hacked in early August 2021. The company’s security team discovered the intrusion two days later following deployment of the ransomware. PHI may have been accessed and taken from the system. Further analysis revealed that the type of data impacted by the incident included medical histories, test reports, as well as billing, and further health data.
Allegations Made in the Quest Data Breach Lawsuit
Breach notification letters were sent within 60 days of discovery of the breach as required by HIPAA regulations. However, the data breach lawsuit claims Quest and ReproSource failed to issue timely notifications to patients, in violation of Massachusetts law.
The data breach lawsuit also alleges violations of the HIPAA Security Rule because of failures to implement appropriate safeguards to protect patient data. It further asserts that if those safeguards had been implemented that the breach could have been prevented.
The plaintiff’s attorneys also cite training deficiencies that were violations of both HIPAA and Federal Trade Commission regulations. The lawsuit alleges that security awareness training was not provided at defined intervals, and that training did not address different levels of knowledge about technology and cybersecurity.
The data breach lawsuit claims Quest Diagnostic and ReproSource committed negligence, breach of contract, breach of implied contract, and breach of fiduciary duty, and seeks class-action status. The lawsuit claims patients affected by the breach are at elevated risk of identity theft and fraud, and that they have had to spend time protecting themselves against these risks.
The plaintiffs are seeking actual, compensatory, punitive, statutory damages, and attorneys’ fees. They also ask that ReproSource enhance its security systems and return wrongfully retained revenue. In addition, the lawsuit seeks at least three years of credit monitoring services for the plaintiff and class members. ReproSource only offered 12 months of credit monitoring services to affected individuals.
Takeaways from the Data Breach Lawsuit
As ransomware attacks and other cybercrimes continue to grow at an exponential pace, it’s likely lawsuits like the Quest data breach lawsuit will increase as well. Achieving and maintaining HIPAA compliance is now more important than ever.
If your organization is not HIPAA compliant, any violations uncovered during an HHS Office for Civil Rights investigation leave you exposed to serious fines. A finding of non-compliance by government investigators would not be helpful if you’re facing a suit like the Quest data breach lawsuit.
Have you done all you can to make your organization HIPAA compliant? Are there gaps hiding in your HIPAA compliance plan? If you have questions, Compliancy Group has answers. Our solution closes gaps, builds confidence, and addresses the full extent of the 1,000-plus pages of HIPAA regulations.
