Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Quest Diagnostics Proposed Breach Settlement Approved
Patients Whose HIV Test Results Were Exposed Will Get $75A federal court has given preliminary approval for a $195,000 settlement of a class action lawsuit filed against medical testing laboratory Quest Diagnostics in connection with a 2016 data breach affecting 34,000 individuals that exposed HIV-testing information of some patients.
See Also: Alleviating Compliance Pain Points in the Cloud Era
The agreement, which was negotiated by mediators and approved on Oct. 25 by a New Jersey U.S. district court judge, settles a class action filed in 2017 in the aftermath of a November 2016 hacking incident involving Quest’s MyQuest by Care360 internet application. The settlement comes after plaintiffs filed their original complaint in 2017 and then subsequently filed two amended complaints.
In a breach notification statement issued in 2016, Quest Diagnostics said that “an unauthorized third party” accessed the web application and obtained protected health information of approximately 34,000 patients.
The lawsuit against Quest Diagnostics alleges, among other claims, that the Secaucus, New Jersey-based company failed to safeguard its clients’ PHI - including laboratory test results and personal identifying information such as names, dates of birth, and phone numbers – and also failed to provide “timely, accurate and adequate notice to plaintiffs and other class members that their private information had been stolen.”
In a statement provided to Information Security Media Group, Quest Diagnostics says that while the company “continues to believe that the claims brought by the plaintiff are meritless, the company decided to resolve the issue now to avoid protracted litigation and associated costs.”
Settlement Details
Under the settlement, lawsuit class members who submit claims showing monetary losses resulting from the incident can receive $250 each. Class members whose HIV test results were disclosed in the incident will be paid $75. So the maximum payment to any class member is $325.
Neither Quest Diagnostics nor attorneys representing plaintiffs in the lawsuit immediately responded to ISMG’s inquiry about approximately how many individuals affected in the data breach had their HIV testing information compromised.
Sensitive Data
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., who is not involved in the case, says that the settlement spotlights the importance of properly securing sensitive health information.
”What is interesting here is that although it remains with the individual class members to provide proof of any monetary damages, the court permitted a fixed - albeit low - settlement payment to those class members whose HIV health information was exfiltrated,” he says.
”HIPAA treats certain health-related information - such as substance addiction, HIV status and psychotherapy - as needing elevated protection, and the court’s acceptance of this carve-out indicates that the unauthorized disclosure of extra-sensitive protected health information carries with a presumption of injury, and Article III standing.”
Article III standing demonstrates to a court that a party suffered some sort of harm by another’s actions.
Other Settlements
A number of class action settlements have been reached in other cases involving a breach of HIV-related treatment or testing data.
For example, Aetna reached several settlements for lawsuits stemming from a July 2017 mailing mishap in which a vendor sent letters to health plan members that revealed through the envelope's oversized clear windows that the recipient was taking HIV-related medication.
Aetna signed settlements totaling about $3 million with several states’ attorneys as well as a $17.2 million settlement of a class action lawsuit filed against the company on behalf of affected individuals.
"The victims in the Aetna case whose PHI was disclosed could receive a base payment of $75,” says privacy attorney David Holtzman of the security consultancy CynergisTek. But the Aetna claimants were entitled to $500 if they received a large window envelope from Aetna that would have more likely disclosed their HIV status and up to $20,000 by documenting financial or emotional harm, he notes.
”Perhaps distinguishing the significantly lower award in the Quest case, it is not known how many individuals whose test data was disclosed had been diagnosed with HIV or if there was evidence to the extent that the PHI had been acquired or viewed,” Holtzman adds.
The $250 payments for those who can show evidence of monetary losses resulting from the Quest Diagnostics breach are meant to compensate for identity theft, purchasing credit or identity monitoring services or other documented expenses, Holtzman notes.
”Individuals whose test results were disclosed and can demonstrate significant financial, reputational or emotional harm may choose to decline this settlement to pursue their own lawsuit against Quest in hopes of convincing a court that the breach was preventable and they are due money damages,” he adds.
While the volume of “extra sensitive health information” - such as HIV or mental health records - may be small in comparison to the totality of PHI maintained by most healthcare providers, “it is by no means insignificant,” notes attorney Teppler.
”In a way, this speaks to the larger issue of protecting all PHI from unauthorized disclosure - and for providers, it makes sense to make these extra protections global and not just for extra- sensitive PHI.”
Critical Issues
Independent HIPAA attorney Paul Hales, who was not involved in the case, says the court’s approval of the settlement is significant because it contains two key findings.
”First, the court has jurisdiction over the subject matter of the lawsuit, which consists of allegations of negligence, breach of contract and violation of New Jersey law based on Quest’s failure to protect health information required by HIPAA,” he says.
Second, good cause exists for the court to certify the lawsuit is a class action, he adds.
”These are two critical issues for similar lawsuits,” Hales says. “The settlement itself has no precedential value and reflects the difficulty in quantifying an amount of damages and overcoming arguments by excellent defense lawyers. However, if courts agree that they have subject matter jurisdiction over these types of lawsuits and that a plaintiff may effectively represent a class of individuals who suffered harm, the door will open wider for people aggrieved by health information breaches.”
Other Breach Lawsuits
Quest Diagnostics is also named as one of several co-defendants in a number of class action lawsuits filed in the wake of the American Medical Collection Agency hacking breach, which was revealed earlier this year.
In that incident, more than 12 million patients who had lab tests performed by Quest Diagnostics had their data potentially exposed.