A LabCorp shareholder has initiated a legal action against LabCorp and its executives and directors in relation the loss in share value following two cyberattacks experienced by the company in the past year.
LabCorp was one of the firms most impacted by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were stolen by hackers who gained access to AMCA’s systems. A minimum of 24 of AMCA’s clients were impacted by the breach.
A second LabCorp data breach was uncovered by TechCrunch in January 2020 that involved around 10,000 LabCorp files, which the legal action alleges was not publicly shared by the company nor mentioned in any SEC filings. The breach was due to a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not made known to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents included patient data.
Raymond Eugenio owns shares in LabCorp which lost value as a result of the data breaches. He filed the lawsuit on April 23, 2020 to recoup those and other losses. The lawsuit refers to LabCorp as the defendant along with 12 of the company’s executives and directors, including LabCorp CIO Lance Berberian, CFO Glenn Eisenberg, and director Adam Schechter.
The lawsuit claims that before the AMCA breach and subsequently, LabCorp failed to put in place appropriate cybersecurity procedures and did not have adequate oversight of cybersecurity, which directly resulted in the two data breaches.
In an SEC filing, LabCorp outlined how the AMCA data breach cost the company $11.5 million in 2019 in response and remediation costs, but the legal action points out that the figure is just a fraction of the total losses and does not cover the cost of litigation that came after this. A number of class action lawsuits have been filed by victims of the AMCA data breach that name LabCorp so the total losses are not known to its shareholders. The lawsuit also states that the second breach has not been revealed publicly or in any SEC filings. Due to this, Eugenio alleges LabCorp failed in its responsibility to its shareholders and breached its duties of loyalty, care, and good faith.
The lawsuit claims LabCorp failed to put in place effective internal policies, procedures, and controls to protect patient information, there was not enough oversight of compliance with federal and state regulations and its internal policies and procedures, LabCorp did not have a sufficient data breach response plan, PHI was given to AMCA without ensuring the company had sufficient cybersecurity controls in place, LabCorp did not ensure that individuals and groups impacted by the breach were notified in a timely fashion, and that the company did not make adequate public disclosures about the data breaches.
The lawsuit is trying to obtain reimbursement for damages sustained due to the breaches and ensure public acknowledgement of the January 2020 data breach. The legal action also calls for a reform of corporate governance and internal processes and requires a board-level committee to be established and an executive officer position designated to ensure adequate management of data security in the future.