Quest Diagnostics Settlement of 2016 Data Breach Gets Final Approval

A federal judge has finalized the approval of a settlement involving Quest Diagnostics Inc. to resolve a class-action lawsuit over its 2016 data breach. The medical laboratory firm based in New Jersey will pay a $195,000 settlement, which gives every breach victim up to $325 compensation.

On November 26, 2016, hackers accessed the Care360 MyQuest mobile app which patients use to store and share their electrical test results and book consultations. The health app stored names, telephone numbers, dates of birth, and lab test results which, for a number of patients, included their HIV test results. The breach affected 34,000 patients.

According to the class-action lawsuit filed on behalf of breach victims in 2017, Quest Diagnostics was negligent in protecting the sensitive data of app users. The lawsuit states that even though Quest Diagnostics knew that it was storing sensitive Private Information making it valuable and vulnerable to cyber attackers, it failed to take enough measures that could have secured the information of users. The plaintiffs additionally stated that Quest Diagnostics didn’t give timely, accurate, and enough notification regarding the breach.

Last fall of 2019, Quest Diagnostics submitted a settlement proposal that provides compensation to the breach victims so as to avoid further legal expenses and the problem of ongoing litigation. The proposal will give as much as $325 per breach victim, which reflected the pros and cons of the claims and defenses in the legal case. Quest Diagnostics, as well as the other defendants, involved in the case did not admit any wrongdoing.

A federal court judge gave preliminary approval of the settlement obtained in October 2019. The final approval was released on February 25, 2020.

Each class member may claim around $325, which is made up of around $250 to pay for provable out-of-pocket costs sustained because of the breach. Another $75 may be claimed by each patient whose HIV test results were exposed, even though patients didn’t get any losses. Plaintiffs have to submit a claim so as to get a share of the settlement and they should submit the claims by May 22, 2020.

One more class-action lawsuit was filed against Care360 and Quest Diagnostics regarding the theft of roughly 12 million patient data from the American Medical Collection Agency (AMCA), its business associate in 2019. The plaintiffs in that legal case likewise claim the negligence of the defendants thus failing to safeguard their personal and protected health information (PHI) and failed to give timely and appropriate notifications.