HIPAA and Compliance News

LabCorp Hit with Shareholder Lawsuit Over 2 Separate Data Breaches

Following a second breach in less than a year, a LabCorp shareholder is suing the testing giant in an attempt to recoup share value losses.

healthcare data breach lawsuit shareholder cybersecurity failures breach litigation

By Jessica Davis

- LabCorp shareholder Raymond Eugenio recently filed suit against the lab testing giant, as well as its 12 directors and executives, to recoup share value losses caused by two data breaches, first reported by Bloomberg Law. LabCorp was one of the two dozen companies impacted by the American Medical Collection Agency breach last year.

The AMCA security incident was the largest healthcare data breach of 2019, where hackers compromised AMCA systems for about eight months. About 7.7 million LabCorp patients were affected by the breach, leading those patients to filed several lawsuits against both AMCA and LabCorp.

LabCorp was also involved in a January 2020 breach involving 10,000 company documents, a result of a website misconfiguration that allowed the information to be viewed by anyone, made public by TechCrunch.

According to the lawsuit, the second breach was not publicly disclosed nor mentioned in any Securities and Exchange Commission filings. The incident is currently not listed on the Department of Health and Human Services breach reporting tool, despite the involvement of patient data.

As a result of these incidents, LabCorp shares have lost value. Eugenio filed suit at the end of April to recoup some of those losses. Calling LabCorp’s cybersecurity measures “historically and persistently deficient, the lawsuit claims LabCorp failed to implement adequate procedures, including a lack of sufficient oversight, which directly resulted in the separate data breaches.

In an earlier SEC filing, the AMCA breach cost LabCorp $119 million for its breach response and remediation. The lawsuit argues this amount if just a fraction of the overall losses and does not include litigation costs incurred by the lawsuits that followed.

As the second breach has not yet been publicly reported by LabCorp, the lawsuit alleges that the company failed its responsibility to shareholders and breached its loyalty, care, and good faith duties.

The lawsuit also references LabCorp’s July 2018 ransomware attack, which again potentially exposed the data of million of patients after hackers locked up tens of thousands of LabCorp workstations. They argue due to this previous attack, “the members of the audit committee… knew or should have known of the cyber risks and threats facing the company.”

The suit further argues that LabCorp failed to put a data breach response plan into place, while failing to implement and enforce an effective internal control system and procedures designed to protect patient data. LabCorp also allegedly failed monitor compliance with its own procedures and federal and state regulations.

“[The] directors and or officers of Labcorp are responsible for the ongoing potential liability caused by their willful and or reckless violations of state notification statuses,” the lawsuit alleges. “[They] have and had a continuing contractual and common-law duty and obligation to keep confidential the PII and PHI their patients disclosed to LabCorp and to protect this PII and PHI from unauthorized disclosure.”

The company also allegedly sent protected health information to AMCA without verifying that the vendor had sufficient cybersecurity controls in place, while failing to provide timely breach notifications to the affected individuals.

Lastly, the lawsuit argues LabCorp failed to make adequate public data breach disclosures. Eugenio is seeking reimbursement for damages incurred by the breaches, as well as asking for public acknowledgement from LabCorp about the second breach.

“LabCorp's credibility, reputation, and goodwill have likewise been damaged, and the company remains exposed to significant potential liability," the lawsuit argues.

Further, the lawsuit is seeking an overhaul of corporate governance and internal procedures, including the addition of a board-level committee and a new executive officer position tasked with overseeing LabCorp’s data security.