A U.S district court judge in New Jersey has tentatively approved a $195,000 settlement with Quest Diagnostics, which would resolve a class-action lawsuit filed after a 2016 cyberattack on the vendor breached the personal and medical data of 34,000 patients. Quest joins an increasing number of vendors and providers facing breach-related lawsuits, as reported by Jessica Davis of HealthITSecurity.
In November 2016, Quest officials began notifying patients that a hacker breached the MyQuest by Care360 web application, allowing them to access and steal patient names, dates, of birth, contact information, and a trove of medical test results, including those for HIV status.
At the time, officials said, “When the intrusion was discovered, we immediately took steps to stop any further unauthorized activity… and are working with a leading cybersecurity firm to assist with our investigation and to further evaluate our systems.”
However, the notification did not outline when the incident was first discovered or how long the hacker had access to the platform before it was discovered.
In early 2017, patients impacted by the security incident filed a class-action lawsuit, which was amended twice during the process. The breach victims alleged the company failed to protect their protected health information and did not notify victims with timely, accurate, or adequate notice that their data was potentially stolen, violating New Jersey law.
The settlement will provide the members of the lawsuit with $250, if they submit claims verifying monetary loss from the breach. Those patients whose HIV status was revealed will receive $75.
What’s more, the settlement is not an admission of liability from Quest Diagnostics. Rather, officials sought to put an end to further litigation and other legal fees.
Have concerns about medical breaches? Contact the HIPAA compliance experts at HIPAAcraticRx.