April 8, 2020 – Investigation Closed, Lawsuits Continue
Thanks to everyone who helped contribute to this investigation. Multiple class action lawsuits have been filed and continue to make their way through the court system. Any significant updates will be posted to this page. Check out our open list of investigations or sign up for our newsletter for the latest news and information. The information below was posted when this investigation began and exists for reference only.
February 13, 2020 – Cases Consolidated
The lawsuits involving the data breach at American Medical Collection Agency have been consolidated to a single court before a single judge. To learn more about what this means, read our page on multidistrict litigation.
At A Glance
This Alert Affects:
Anyone who received a letter from Quest Diagnostics, LabCorp, or one of the smaller labs in the list below stating that your information was compromised as part of a data breach at American Medical Collection Agency, which does business as Retrieval Masters Creditors Bureau. This alert is geared toward individuals who are interested in serving as a plaintiff in a class action on behalf of the millions of affected individuals.
What’s Going On?
Attorneys working with ClassAction.org would like to talk to people who meet the description outlined above as part of their investigation into the data breach. Several class action lawsuits have already been filed, but they would like to speak to additional individuals who may be able to serve as plaintiffs and help strengthen the litigation. In general, the litigation becomes stronger as more individuals are added as plaintiffs to represent the class.
How Can a Class Action Help
A lawsuit could help consumers receive compensation for the loss of their data and/or be reimbursed for identity theft losses or costs spent for credit reports, credit monitoring, and other expenses related to the breach. The companies could also be required to make certain changes to their data security practices to ensure patients’ information is properly protected.
What’s the Catch?
There is none! It doesn’t cost anything to get in touch and the only people we will ever send your information to are the attorneys we work with.
Class action lawsuits have been filed against American Medical Collection Agency, Inc. (AMCA), Quest Diagnostics, LabCorp and several smaller labs concerning a data breach that took place between August 1, 2018 and March 30, 2019 that allowed hackers to access the private information of millions of patients.
As part of an ongoing investigation into the breach, attorneys working with ClassAction.org would like to speak to anyone who meets the following qualifications and is interested in serving as a plaintiff to pursue litigation on behalf of the class:
You received a letter from Quest, LabCorp or one of the smaller labs listed below stating that your information was compromised as part of a data breach at AMCA; or
You received a data breach letter from AMCA and, in addition, you have copies of collections notices or other documentation linking your involvement in the AMCA data breach to a particular lab. (Note: AMCA's notices do not specify which lab the person was affiliated with for purposes of the breach. Quest, LabCorp and certain other labs have sent their own letters to some or all of their patients who were affected by the breach. It is important that the attorneys know which lab you were affiliated with.)
Whom Did the Data Breach Affect?
It has been reported that the data breach affected over 20 million people. The breach occurred at American Medical Collection Agency – and not at Quest, LabCorp or the other labs themselves – and therefore only affected individuals whose past-due bills at those labs were sent to AMCA for collections.
Patients who simply visited Quest Diagnostics, LabCorp or one of the other labs for testing and who were not in debt collection are not affected by the breach.
The full list of labs affected by the breach can be seen below.
American Esoteric Laboratories
BioReference (a subsidiary of OPKO Health)
Clinical Pathology Laboratories
CompuNet Clinical Laboratories
Laboratory Medicine Consultants
Sunrise Medical/Sunrise Laboratories
Wisconsin Diagnostic Laboratories
West Hills Hospital and Medical Center (United West Labs)
What Happened Exactly?
It has been reported that between August 1, 2018 and March 30, 2019, a hacker had access to an AMCA system that contained personal information received from Quest Diagnostics, LabCorp and other smaller labs. Optum 360, a contractor of Quest, also reportedly used AMCA for collections.
Information from Quest patients compromised in the data breach includes:
Social Security numbers;
Financial information (e.g., credit card numbers and bank account information);
Medical information; and
Additional personal information.
Information from LabCorp patients compromised in the data breach includes certain personal information and, for a more limited number of patients, credit card or bank account information. It may also include Social Security numbers for a small subset of patients.
Information from other labs' patients is generally similar to these data types.
What Do the Lawsuits Say About the Data Breach?
The lawsuits claim that AMCA’s failure to properly safeguard consumers’ information allowed hackers to access its systems for eight months. Had the company properly safeguarded and monitored it systems, the breach would not have occurred or AMCA would have discovered the breach much sooner, according to the suits.
Quest, LabCorp, the other labs and AMCA had a duty to keep patients’ information confidential, yet failed to take the steps needed to do so. Specifically, the suits claim the defendants neglected their responsibilities to consumers when they failed to:
Maintain proper data security systems to prevent data breaches and cyberattacks
Properly monitor data security systems for possible intrusions
Make sure that vendors took reasonable security measures to prevent breaches
Implement procedures to prevent, detect, contain, and correct data security violations
Ensure the confidentiality and integrity of electronic protected health information that was created, maintained and distributed among vendors
Implement procedures to regularly review information system activity, such as access reports, audit logs and security incident tracking reports
Train employees on the policies needed to keep protected health information safe and secure
How Can a Class Action Lawsuit Help?
In general, data breach class actions seek to recover:
Reimbursement of losses suffered due to identity theft and fraud
Reimbursement of credit monitoring fees, credit report fees and credit freezes
Money for lost time spent responding to the breach
Free credit monitoring
Free identity theft insurance
A class action lawsuit could also require the companies at fault to make substantial improvements to their data security systems to ensure such a breach does not occur again in the future.