Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval

Share this article on:

A federal judge has given final approval of a settlement to resolve a class action lawsuit filed against the New Jersey-based medical laboratory company, Quest Diagnostics Inc., over its 2016 data breach. The $195,000 settlement provides up to $325 compensation for each breach victim.

On November 26, 2016 hackers gained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and make appointments. The health app contained names, dates of birth, telephone numbers, and lab test results which, for some patients, included their HIV test results. 34,000 patients were affected by the breach.

A class action lawsuit was filed on behalf of patients affected by the breach in 2017. The lawsuit alleged Quest Diagnostics had been negligent and failed to protect the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that could have protected user’s information.” The plaintiffs also alleged Quest Diagnostics did not provide timely, accurate, and adequate notification about the breach.

In the fall of 2019, Quest Diagnostics proposed a settlement that provided compensation for the breach victims in order to avoid further legal costs and the risks of continuing litigation. A maximum of $325 per breach victim was proposed, which reflected the strengths and weaknesses of the claims and defenses in the case. Quest Diagnostics and the other defendants in the case have not admitted any wrongdoing.

The settlement received preliminary approval from a federal court judge in October 2019. Final approval was issued on February 25, 2020.

Each class member can claim up to $325, which is comprised of up to $250 to cover provable out-of-pocket expenses incurred as a result of the breach. A further $75 can be claimed by each patient whose HIV test results were exposed, even if patients did not incur any losses. Plaintiffs are required to submit a claim in order to receive a share of the settlement and claims must be submitted by May 22, 2020.

Another class action lawsuit has been filed against Quest Diagnostics and Care360 over the theft of almost 12 million patient records from its business associate, American Medical Collection Agency (AMCA) in 2019. The plaintiffs in that case similarly allege the defendants were negligent for failing to protect their personal and protected health information and did not provide timely and accurate notifications.

Author: HIPAA Journal

Share This Post On