Shareholder Sues LabCorp to Recover Losses Due to Data Breaches

A shareholder of LabCorp is taking legal action against the company and its executives and directors over losing share value that was due to two cyberattacks suffered by the LapCorp in the past 12 months.

LabCorp was badly affected by the data breach that happened in 2019 at American Medical Collection Agency (AMCA), a medical debt collection company. Hackers infiltrated AMCA’s systems and obtained the data of 10,251,784 patients who received LabCorp’s services. The breach affected around 24 of AMCA’s clients.

TechCrunch reported a second data breach at LabCorp in January 2020 that involved 10,000 LabCorp records, which allegedly was not openly disclosed by the firm nor brought up in any SEC filings. The breach was because of a website misconfiguration and allowed the documents to be accessed by anybody. The breach was additionally not reported to the HHS’ Office for Civil Rights, although TechCrunch researchers verified that the data files included patient data.

Raymond Eugenio has shares in LabCorp which lost value due to the data breaches and filed the lawsuit on April 23, 2020 to get back those and other losses. As per the lawsuit, the defendants are LabCorp together with 12 of the company’s executives and directors, such as LabCorp CIO Lance Berberian, director Adam Schechter and CFO Glenn Eisenberg.

The lawsuit claims that previous to the AMCA breach and after, LabCorp was unable to employ appropriate cybersecurity processes and didn’t have adequate oversight of cybersecurity, which directly led to the two data breaches.

In an SEC filing, LabCorp mentioned the company spent $11.5 million for the AMCA data breach in 2019 including remediation fees, however, the lawsuit explains that the amount is simply a fraction of the total losses and does not cover the price of litigation that followed. A number of class-action lawsuits were filed by the AMCA data breach victims named LabCorp hence the shareholders didn’t know about the total losses. The lawsuit additionally states that the second breach has not been recognized publicly or in any SEC filings. Therefore, Eugenio claims that LabCorp was unable to deliver its accountability to its shareholders and breached its responsibilities of loyalty, care, and good faith.

The lawsuit claims LabCorp

  • did not put into action efficient internal policies, processes, and controls to safeguard patient information
  • there was inadequate oversight of federal and state regulations compliance and its internal policies and procedures
  • didn’t have an adequate data breach response plan in place
  • offered PHI to AMCA without assurance the company had enough cybersecurity measures set
  • did not make sure that the people and entities affected by the breach were found on a regular basis
  • did not make enough public disclosures regarding the data breaches

The lawsuit seeks for repayment for damages suffered due to the breaches and public acknowledgment of the January 2020 data breach. The lawsuit likewise requires a reform of corporate governance and internal measures and demands a board-level committee to be created and the assignment of an executive officer to make sure sufficient oversight of data security.