Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack

A lawsuit has been filed in the US District Court for the District of Massachusetts against Quest Diagnostics and its subsidiary, ReproSource Fertility Diagnostics, over an August 2021 ransomware attack that affected 350,000 patients.

On October 8, 2021, ReproSource started sending notification letters to affected patients informing them that some of their protected health information had potentially been accessed or stolen prior to ransomware being used to encrypt files. The types of data stored on parts of its network that were accessible to the attackers included names, dates of birth, test results, medical histories, diagnosis codes, Social Security numbers, billing information, and other information.

While breach notification letters were sent within the 60 days allowed by HIPAA, the lawsuit alleges Quest and ReproSource failed to issue timely notifications to patients, which violated Massachusetts law, and when the notification letters were issued – more than a month after the attack – they lacked important information about the breach, such as if the servers that stored patient data were accessed by the attackers, whether data on those servers were encrypted, how the attack occurred, and which systems had been affected. The patient named in the lawsuit, Jasmyn Bickham, claims to have received a letter stating her protected health information had been released, while the breach notice published on its website failed to say whether patients’ information was acquired by the hackers.

The lawsuit alleges the hackers were able to gain access to ReproSource’s systems because of the failure to implement appropriate safeguards to protect patient data, as is required by the HIPAA Security Rule, and if those measures had been implemented, the ransomware attack and data breach could have been prevented. The lawsuit alleges the failure to safeguard data violated several state and federal laws, and the security failures were “especially egregious” due to the number of warnings issued to the healthcare industry about the increase in ransomware attacks.

Under HIPAA, security awareness training must be provided to the workforce. The lawsuit alleges a violation of HIPAA and Federal Trade Commission regulations for training failures, claiming security awareness training had not been provided at defined intervals and the training program had not been tailored to employees with differing levels of knowledge about technology and cybersecurity.

The lawsuit alleges negligence, breach of contract, breach of implied contract, and breach of fiduciary duty and seeks class action status. The lawsuit claims patients affected by the breach face an elevated risk of identity theft and fraud, and that have had to spend time protecting themselves against identity theft and fraud.

The lawsuit seeks actual, compensatory, punitive, and statutory damages, attorneys’ fees, and calls for ReproSource to enhance its security systems and return wrongfully retained revenue. In addition, the lawsuit seeks at least three years of credit monitoring services for the plaintiff and class members. ReproSource only offered 12 months of credit monitoring services to affected individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.