- Quest Diagnostics faces a class-action lawsuit following a fax-related healthcare data breach, according to a recent press release.
Several hundreds of health files were allegedly sent to a New York-based marketing firm rather than to Quest for approximately one year. This mistake was due to human error in which individuals from several providers incorrectly input Quest’s fax number, thus inadvertently sending the medical files to the marketing firm APS Marketing Group.
This healthcare data breach came to light when a representative from APS Marketing Group, Gabby Klotzman, reported it to the I-Team at NBC News. The I-Team reported that Klotzman discovered the breach several months ago after starting her job at the marketing firm and finding several medical files being sent to her office.
According to the I-Team, potentially compromised information included patient names, phone numbers, dates of birth, and in some cases, Social Security numbers.
Klotzman reportedly contacted Quest Diagnostics immediately, to which the healthcare company explained it would remedy the issue and contact potentially affected individuals.
However, the faxes allegedly continued to come, prompting Klotzman to contact the Department of Health and Human Services (HHS), but to no avail.
After several months of receiving these medical files via fax, Klotzman contacted NBC’s I-Team, who contacted a handful of the individuals whose medical records had been compromised. Additionally, the I-Team encouraged Klotzman to contact Quest and HHS again.
Upon those follow-ups, Quest allegedly explained that it did not know the magnitude of the health data breach. According to Quest, it has added a revised fax number to account for any practices who may have input the original number incorrectly.
HHS also responded to Klotzman’s follow-ups, explaining that the case has been closed and that the department is providing technical assistance to Quest to resolve the issue.
About a week ago, Newman Ferrara LLP announced a class-action lawsuit against Quest due to its reportedly inadequate handling of the situation.
“That Quest was on notice of this massive data breach for perhaps a year or more, and yet failed to take any responsible or required action, amounts to an egregious dereliction of duty,” stated firm partner Jeffrey Norton in the press release. “Through this lawsuit, we intend to make sure something like this does not occur again.”
The plaintiffs allege that Quest did not take adequate action to prevent the health data breach from continuing, and also failed to adhere to HIPAA guidelines with regard to reporting a health data breach.
“Although Quest was alerted early on to the breach, the company did nothing to prevent the continued transmissions, failed to alert medical providers and patients, and failed to report the breach to authorities. As a result, the personal and sensitive medical information of hundreds of patients was disclosed to unauthorized third-parties, putting their security and privacy at great risk,” the press release explains.