25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Quest Diagnostics Announces 34,000-Record ePHI Breach

Posted By on Dec 13, 2016

Madison, New Jersey-based clinical laboratory service provider Quest Diagnostics is alerting 34,000 patients that some of their electronic protected health information (ePHI) has been stolen.

Quest Diagnostics is business associate of many healthcare providers across the United States. Consequently, patients across the United States have been impacted by the breach.

On November 26, 2016, an unknown individual gained access to the MyQuest by Care360® Internet application and successfully exfiltrated a range of patient data. The intrusion was detected two days later when staff returned to work on Monday.

Upon discovery of the breach, access to the Internet application was blocked to prevent any further data from being accessed or copied and a leading cybersecurity firm was contracted to conduct a thorough investigation of the breach.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation revealed that patients’ test results were copied along with names, dates of birth, and some telephone numbers, although no highly sensitive data such as Social Security numbers, health Insurance information, or financial data were accessed or copied. The cybersecurity firm is also conducting a thorough assessment of cybersecurity protections in place to prevent unauthorized data access. Upon conclusion of that assessment, additional protections will be put in place to prevent future breaches of this nature from occurring.

Quest Diagnostics responded promptly to the breach and has issued notification letters to patients under two weeks after the breach was first discovered, well inside the 60-day breach notification time limit stipulated by the Health Insurance Portability and Accountability Act (HIPAA).

While it has only been two weeks since the breach, Quest Diagnostics has not received any reports of patient data being misused to date. Quest Diagnostics has told patients “we do not believe that you need to take any steps at this time to protect yourself in response to this breach.”

The breach has been reported to the federal law enforcement agencies, and the Department of Health and Human Services’ Office for Civil Rights and state attorneys general have also been notified.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist