HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval

A federal judge has given final approval of a settlement to resolve a class action lawsuit filed against the New Jersey-based medical laboratory company, Quest Diagnostics Inc., over its 2016 data breach. The $195,000 settlement provides up to $325 compensation for each breach victim.

On November 26, 2016 hackers gained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and make appointments. The health app contained names, dates of birth, telephone numbers, and lab test results which, for some patients, included their HIV test results. 34,000 patients were affected by the breach.

A class action lawsuit was filed on behalf of patients affected by the breach in 2017. The lawsuit alleged Quest Diagnostics had been negligent and failed to protect the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that could have protected user’s information.” The plaintiffs also alleged Quest Diagnostics did not provide timely, accurate, and adequate notification about the breach.

In the fall of 2019, Quest Diagnostics proposed a settlement that provided compensation for the breach victims in order to avoid further legal costs and the risks of continuing litigation. A maximum of $325 per breach victim was proposed, which reflected the strengths and weaknesses of the claims and defenses in the case. Quest Diagnostics and the other defendants in the case have not admitted any wrongdoing.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The settlement received preliminary approval from a federal court judge in October 2019. Final approval was issued on February 25, 2020.

Each class member can claim up to $325, which is comprised of up to $250 to cover provable out-of-pocket expenses incurred as a result of the breach. A further $75 can be claimed by each patient whose HIV test results were exposed, even if patients did not incur any losses. Plaintiffs are required to submit a claim in order to receive a share of the settlement and claims must be submitted by May 22, 2020.

Another class action lawsuit has been filed against Quest Diagnostics and Care360 over the theft of almost 12 million patient records from its business associate, American Medical Collection Agency (AMCA) in 2019. The plaintiffs in that case similarly allege the defendants were negligent for failing to protect their personal and protected health information and did not provide timely and accurate notifications.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.