Data Breaches Leave Labs and Patients Exposed

Two recent data breaches at major labs may have compromised the personal health information of approximately 19.6 million patients. No wonder the industry and privacy experts are revisiting best practices for preventing future incidents.

At Quest

The larger of the two breaches involves Quest Diagnostics, one of the biggest blood testing companies in the US. In late May, Quest was notified by billing and collections vendor American Medical Collection Agency (AMCA) that a hacker had access to its system and Quest customer information for nearly eight months, between Aug. 1, 2018 and March 30, 2019. Information of about 11.9 million patients might have been compromised, including credit card numbers, bank account details, medical data and Social Security numbers. Lab results were not compromised because Quest didn’t share that information with AMCA. Upon learning of the breach, Quest stopped sending collection requests to AMCA, sent notifications to health plans and enlisted the help of security experts to mitigate the damage.

At LabCorp

A few days after notifying Quest of the above breach, AMCA informed another one of its mega-lab clients, LabCorp, of a breach potentially affecting 7.7 million patients. As in the Quest situation, personal and financial information was compromised but not lab test results. However, The Washington Post reports that during the LabCorp breach “the hacker was able to access names, birthdays, addresses, phone numbers, dates of service, account balances and other information.” According to The Wall Street Journal, LabCorp responded by notifying approximately 200,000 of its customers that their credit card information may have been compromised. In announcing this action, LabCorp CEO David P. King also pointed out that the breach wasn’t the direct result of anything the company had done and that the company “believed the impact to LabCorp customers would be minimal.”

Legal Ramifications and Other Fallout

Coincidentally or not, King announced his retirement as LabCorp CEO on the same day he addressed the breach.

Reportedly, credit card details for approximately 200,000 patients from AMCA have been found for sale on the dark web.

A class-action lawsuit has been filed by more than 1,000 LabCorp customers, alleging that it failed to protect the confidential information of millions of patients and that “wrongful disclosure has harmed the plaintiffs and the classes believed to include millions of individuals.” Quest has also been hit with a class-action lawsuit.

Retrieval-Masters Creditors Bureau, the parent company of AMCA, filed for Chapter 11 bankruptcy protection. In its petition it cited a “cascade of events.”

Best Practices

The Quest and LabCorp breaches and resulting legal action are a striking reminder of the importance of preventing data breaches and responding properly when prevention fails. Best practices:

• Inform patients that you share their PHI with third parties and explain the resulting risks;
• Ensure that all contracts with billing and collections firms require immediate disclosure of data breaches;
• Include contract language requiring billing and collections firms to take appropriate measures to address breaches involving your lab’s data;
• Establish internal policies regarding data breaches that address patient notification, outreach to health plans, assistance from security experts, and media outreach; and
• Have a contingency plan in place for billing and collections services in case the current vendor become unavailable—or consider using two vendors if your volume warrants it so that a backup is immediately available.