LabCorp is being sued for failing to secure its patients' personal information. The suit stems from a data breach of the American Medical Collection Agency, which LabCorp provided with customers' information.
Laboratory Corporations of America Holdings, which does business as LabCorp, is facing yet another proposed class action – this the latest in a series of suits stemming from a breach of patient data last year.
LabCorp routinely collects and stores patients’ personal and medical information and often will provide a debt collection agency with this information in order to obtain payments on overdue invoices, the suit explains. One such agency is Retrieval-Masters, also known as the American Medical Collection Agency (AMCA).
According to the lawsuit, LabCorp provided AMCA with patient information that the latter stored on servers that were accessed by an unauthorized third party between August 2018 and March of this year. The breach reportedly affected nearly 12 million people, and exposed Social Security numbers, credit card information, and checking account numbers, among other sensitive data. Several other corporations also reportedly shared customers’ information with AMCA and now find themselves facing similar suits over the breach.
According to the complaint, LabCorp was made aware of the breach as early as May 14th yet waited over two months to inform its patients–despite the fact that it pledged on its website to inform customers of such breaches within 60 days. Other estimates, however, have stated that the breach was discovered by AMCA long before May.
According to an earlier suit, American Medical Collection Agency was alerted to the breach by a third party on March 1st of this year, yet claims to have had no knowledge of the incident until March 20th. The collection agency reportedly alerted the public on June 6th; LabCorp allegedly took over an additional month to do the same. The suit argues that this failure to issue a timely warning was negligent and made it harder for plaintiffs to protect themselves from identity theft.
Although LabCorp was authorized to share information with AMCA, the suit accuses the company of negligence for storing the plaintiffs’ “protected personal information in an unprotected, unguarded, unsecured, and/or otherwise unreasonably protected electronic and/or physical location.” The suit further claims the hack could have been prevented, stating the unauthorized third party “could not have gained unauthorized access to Plaintiff’s information but for Defendant’s negligence.”
The complaint requests certification of a nationwide class of everyone whose information was affected by the breach, as well as a specific subclass for consumers in West Virginia.