Natali_Mis/istock via Getty Imag

Judge Finalizes Quest Diagnostics Settlement Over 2016 Data Breach

First proposed in October, a judge has finalized the data breach lawsuit settlement between Quest Diagnostics and the patients impacted by a 2016 hack of the testing giant’s patient application.

The US District Court in New Jersey issued a final approval of a class-action lawsuit settlement between Quest Diagnostics and the patients impacted by a 2016 data breach. The testing giant will pay $195,000 to resolve claims the data of 34,000 patients were compromised during the hack.

First disclosed in November 2016, a hacker breached the MyQuest by Care360 web application to then access and steal data. Patient names, dates of birth, contact details, and medical test results, including HIV status were compromised for an undisclosed period of time, as officials did not outline when the unauthorized access began and when it was first discovered.

In response, patients filed a lawsuit against Quest in 2017 claiming the testing giant failed to protect their health information and did not provide patients with a timely, accurate notification that a potential breach had occurred.

The lawsuit was amended twice during the litigation period, before both parties came to a settlement agreement in October 2019.

Under the settlement finalized on February 25, Quest must pay the affected patients $195,000. Breach victims can receive up to $325 in compensation, which includes up to $250 for actual monetary losses stemming from the breach.

Those patients whose HIV test results were compromised during the incident can receive an additional payment of $75, even if those patients did not incur any monetary losses. The settlement also includes attorneys’ fees, costs, and expenses. Patients have until May 22, 2020 to file a claim.

According to the filing, the settlement is not an admission of liability from Quest.

The testing giant is currently embroiled in another class-action lawsuit filed by patients impacted by breach of its former third-party vendor, American Medical Collection Agency. The data of more than 11 million Quest patients were stored in AMCA servers that were hacked for more than eight months between August 1, 2018 and when it was discovered on March 20, 2019.

The breach victims are claiming the vendors failed to adequately protect their personal health information and waited far too long to notify patients their data was potentially compromised.

Breach lawsuits are becoming increasingly common in the healthcare sector, with mixed results. In the last month, Hackensack Meridian Health was sued after a December ransomware attack, and University of Washington Medicine is facing a lawsuit after it reported a data breach impacting 974,000 patients.

Next Steps

Dig Deeper on HIPAA compliance and regulation