Quest Diagnostics Facing Class Action Over ‘Massive’ Data Breach Affecting 11.9 Million Patients

New to ClassAction.org? Read our Newswire Disclaimer

Quest Diagnostics Incorporated is among the defendants in a proposed class action lawsuit that claims the medical testing company failed to safeguard millions of patients’ confidential information from a data breach.

The lawsuit claims the defendants, which include payment collectors American Medical Collection Agency, Inc. and Optum360 Services, Inc., negligently allowed at least one unauthorized party to access patients’ financial, medical, and personal information in a cyber breach that went undetected between August 1, 2018 and March 30, 2019.

It wasn’t until June 3, 2019, the suit says, that Quest publicly disclosed the existence of the breach in a filing with the Securities Exchange Commission. Quest reportedly stated in the filing that American Medical Collection Agency had informed Quest and Optum360 of a “massive data breach” that compromised the private information of 11.9 million Quest patients “and most likely others.” The leaked data included credit card and bank account information, medical data, and personal information such as social security numbers, according to the complaint.

The lawsuit argues that the defendants had a duty under federal law to protect patients’ confidential information and to timely alert them to the breach yet “did nothing” to notify victims until nearly a year after the data breach began. From the complaint:

“Defendants had obligations created by HIPAA, arising from promises made to patients like Plaintiff and other Class Members, and based on industry standards, to keep the compromised Sensitive Information confidential and to protect it from unauthorized disclosures. Class Members provided their Sensitive Information to Quest with the understanding that Quest and any business partners to whom Quest disclosed the Sensitive Information would comply with their obligations to keep such information confidential and secure from unauthorized disclosures.”

Nevertheless, the defendants, the case says, negligently exposed millions of patients to a heightened risk of identity theft by failing to implement adequate security measures.

At least one other lawsuit has since been filed over the reported data breach, and it is expected that more will follow. Both lawsuits can be read in full below.