A federal judge has given final approval to a settlement in a class action lawsuit filed against the New Jersey-based medical laboratory firm, Quest Diagnostics Inc., in relation to its 2016 data breach. The $195,000 settlement will see up to $325 compensation made available for each person impacted by the breach.
On November 26, 2016 hackers obtained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and book appointments. The health app included names, dates of birth, telephone numbers, and laboratory test results which, for some patients, included their HIV test results. 34,000 patients were impacted by the breach.
A class action lawsuit was filed on behalf of patients affected. The lawsuit claimed that Quest Diagnostics had been negligent and failed to secure the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that could have protected user’s information.” The plaintiffs also claimed that Quest Diagnostics did not supply timely, accurate, and adequate notification in relation to the breach.
In the fall of 2019, Quest Diagnostics suggested a settlement that provided compensation for the breach victims in order to prevent further legal costs and avoid the risks of continuing litigation. A maximum of $325 per breach victim was suggested, which reflected the strengths and weaknesses of the claims and defenses in the legal action. Quest Diagnostics and the other defendants in the case have not accepted any liability for the breach.
The settlement was given preliminary approval from a federal court judge in October 2019. Final approval was given on February 25, 2020.
Every class member can claim up to $325, which is made up of $250 to cover provable out-of-pocket expenses incurred due to the breach. A further $75 can be claimed by every patient whose HIV test results were exposed, even if patients did not suffer any losses. Plaintiffs are required to file a claim in order to receive a share of the settlement and claims must be filed by May 22, 2020.
Another class action legal action has been submitted against Quest Diagnostics and Care360 in relation the theft of almost 12 million patient records from its business associate, American Medical Collection Agency (AMCA) in 2019. The plaintiffs in that case similarly claim that the defendants were negligent for failing to secure their personal and protected health information and did not supply timely and accurate alerts.