Quest Diagnostics Facing Lawsuit for Disclosing Medical Information to Third Party Debt Collectors
Quest Diagnostics and its revenue operations management company, Optum360, were affected by the 2019 cyberattack on the medical billing collection company, American Medical Collection Agency (AMCA). Almost 12 million Quest Diagnostics patients had their protected health information exposed in the incident. Following the attack, Quest Diagnostics and Optum360 faced several class action lawsuits over the data breach, and the legal problems are continuing.
Another lawsuit has been filed against Quest Diagnostics and Optum360, not for the data AMCA breach itself, but for the decision to provide confidential medical information to AMCA and other third-party debt collectors, which the lawsuit alleges did not need to be provided to those third parties to allow them to complete their contracted duties. The lawsuit alleges the provision of unnecessary medical information to debt collection companies is in violation of the California Confidentiality of Medical Information Act (CMIA), which mandates providers only share medical information if they obtain authorization from patients, except under narrowly tailored exceptions. The lawsuit alleges the circumstances under which Quest Diagnostics provided medical information required patient consent, which was not obtained, and without consent, medical information should not have been shared.
The lawsuit was filed on behalf of plaintiff Gregory Bratten and similarly situated individuals who received diagnostic testing services through Quest Diagnostics. Mr. Bratten received a blood test at a Quest laboratory and trusted Quest to protect his sensitive information. Quest Diagnostics invoices patients directly for its services, rather than being included in the medical bill from their physician. When payment for the testing was not received in the required time frame, Mr. Bratten’s bill was sent to collections.
Quest hired Optum360 to manage its revenue services operations and later assigned its contracts with third-party debt management collection companies to Optum360. Optum360, then started delivering Quest’s outstanding invoices to the debt collectors to recover the funds. Between January 1, 2017, and December 31, 2018, Mr. Bratten’s sensitive medical information was provided to a third-party debt collection company, even though that information was not required for collection purposes. As a result of the alleged violations of CMIA, the lawsuit claims Mr. Bratten and other similarly situated individuals are entitled to damages.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under CMIA, medical information can be shared without patient authorization with entities that provide billing, claims management, medical data processing, or other administrative services; however, the lawsuit claims that third-party debt collection companies do not fall into those categories as they do not provide any of those services for Quest Diagnostics or Optum360. While information can be shared with third-party debt collection companies to allow them to collect outstanding bills, medical information does not need to be shared for collection purposes, and should not be shared without authorization from patients.
While the defendants in the lawsuit lawfully came into possession of medical information, such as patients’ demographic information, physician information, insurance information, test/procedure codes, and diagnosis codes, they are alleged to have unlawfully disclosed some of that information. Those disclosures resulted in the plaintiff and class members suffering an injury and damages, and are therefore entitled, by law, to nominal damages of $1,000 for each violation, actual damages, if any, and injunctive relief, attorneys’ fees, expenses, and costs.
The lawsuit seeks class action certification, a jury trial, and compensatory, consequential, and general damages, including nominal damages as appropriate, for each count as allowed by
law. In addition to damages, the lawsuit seeks injunctive relief prohibiting the defendants from continuing to engage in unlawful acts, commissions, and deceptive practices, as laid out in the lawsuit.
“Quest Diagnostics neglected patient privacy and clearly violated the California Confidentiality of Medical Information Act. We are committed to ensuring that Quest is held accountable for recklessly mismanaging sensitive patient information,” said Christopher Ayers, partner at Seeger Weiss, who is participating in the lawsuit.
