HIPAA Compliance: Quest Pays $195K to Settle Class Action for HIV Data Breach

Government fines, public embarrassment, loss of provider and patient trust. As if these consequences weren’t scary enough, massive PHI breaches can expose your lab to a new kind of risk: class action lawsuits whose personal information was compromised. Exhibit A is the recent case against Quest Diagnostics. The Quest Class Action The case began in November 2016 when a massive cyber attack compromised the PHI of nearly 12 million people. Among the victims, the hackers were able to gain access to the SSNs, HIV test results and other personal information of Quest patients via the MyQuest by Care360 internet app. Rather than chase after Quest individually, a group of 34,000 victims banded together to bring a massive class action accusing Quest of negligently failing to safeguard their PHI and provide them timely notification of the breach, among other things. Quest denies the allegations. And who knows what would have happened had the case proceeded to trial. But as is often the case when confronting the risk of not only liability but also liability multiplied by the number of class members, decided to settle the case. The cost: $195,000, including $250 to each individual who can demonstrate they suffered monetary loss as a direct result of the breach. Individuals who can show their HIV test results were accessed will be entitled to an additional $75.