HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months.

LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach.

A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data.

Raymond Eugenio holds shares in LabCorp which lost value as a result of the data breaches and filed the lawsuit on April 23, 2020 to recover those and other losses. The lawsuit names LabCorp as the defendant along with 12 of the company’s executives and directors, including LabCorp CIO Lance Berberian, CFO Glenn Eisenberg, and director Adam Schechter.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit alleges that prior to the AMCA breach and subsequently, LabCorp failed to implement appropriate cybersecurity procedures and did not have sufficient oversight of cybersecurity, which directly resulted in the two data breaches.

In an SEC filing, LabCorp explained the AMCA data breach cost the company $11.5 million in 2019 in response and remediation costs, but the lawsuit points out that the figure is just a fraction of the total losses and does not cover the cost of litigation that followed. Several class action lawsuits have been filed by victims of the AMCA data breach that name LabCorp so the total losses are not known to its shareholders. The lawsuit also states that the second breach has not been acknowledged publicly or in any SEC filings. As such, Eugenio alleges LabCorp failed in its responsibility to its shareholders and breached its duties of loyalty, care, and good faith.

The lawsuit alleges LabCorp failed to implement effective internal policies, procedures, and controls to protect patient information, there was insufficient oversight of compliance with federal and state regulations and its internal policies and procedures, LabCorp did not have a sufficient data breach response plan in place, PHI was provided to AMCA without ensuring the company had sufficient cybersecurity controls in place, LabCorp did not ensure that individuals and entities affected by the breach were noticed in a timely manner, and that the company did not make adequate public disclosures about the data breaches.

The lawsuit seeks reimbursement for damages sustained as a result of the breaches and public acknowledgement of the January 2020 data breach. the lawsuit also calls for a reform of corporate governance and internal procedures and requires a board-level committee to be set up and an executive officer position appointed to ensure adequate oversight of data security.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.