- After recently dodging a legal bullet over an alleged HIPAA violation, LabCorp is now facing a network security breach that forced the North Carolina-based laboratory diagnostics firm to shut down its IT network, possibly placing PHI of millions of people at risk.
In a July 16 statement, LabCorp said it detected suspicious activity during the weekend of July 14-15 on its IT network. It took systems offline, which affected test processing and customer access to tests results.
LabCorp said it was working “to restore full system functionality as quickly as possible.” It said that testing operations had substantially resumed on July 16 and additional systems and functions would be restored over the next several days.
“At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation,” it said.
The Daily Mail reported that hackers tried to access medical records of millions of people, quoting a company insider.
The insider said that it could be weeks before the company can determine the extent of the breach or whether patient data was compromised.
“The only reason for a nationwide shutdown would be in a scenario where there was suspicion of a data intrusion. LabCorp was hacked and the suspicion is they were pulling data but the full extent of what was accessed if anything isn't clear,” the insider was quoted as saying.
“The company acted swiftly to stop the intrusion, but the fact is the private medical information of millions of patients may have been accessed,” the insider added.
The Wall Street Journal reported that the attack affected tens of thousands of LabCorp workstations, servers and devices, and the disruption spread to Covance, citing people familiar with the situation. The breach began at genetic-testing business in LabCorp’s specialty diagnostics division, which was recently acquired by the medical testing firm.*
The breach follows a court battle over an alleged HIPAA violation that LabCorp ultimately won. Last month, a US District Court Judge dismissed a lawsuit by Hope Lee-Thomas accusing LabCorp of a HIPAA violation for not providing adequate privacy protections at its Providence Hospital computer intake station.
In her lawsuit, Lee-Thomas charged that LabCorp failed to shield her PHI from public view at its computer intake station at Washington, DC-based Providence Hospital. The station was next to a Quest Diagnostics computer intake, and her information was visible to the person using the Quest station, she said in her compliant.
LabCorp filed a motion to dismiss the case arguing that an individual cannot bring a lawsuit under HIPAA. The judge agreed.
“While the [HIPAA] statute provides both civil and criminal penalties for improperly handled or disclosed information, the language of the statute specifically limits enforcement action to HHS and individual states’ attorneys general,” the judge noted.
“Furthermore, courts in this and other circuits that have considered the question have reached a consensus that the statutory language of HIPAA grants no private right of action,” he wrote.
The law firm of Thompson Hine commented in a blog post that “an individual whose PHI has been used or disclosed by a health care provider in violation of HIPAA may not bring a civil claim against the health care provider under HIPAA.”
“Moreover, HIPAA specifically preempts any contrary provision of state law, meaning that a state law claim cannot be brought where a health care provider cannot comply with both the state and federal laws, or where the state law is an impediment to HIPAA’s objectives,” the law firm added.
Some state court decisions have held that a HIPAA violation may form the basis for a state law negligence claim involving disclosure of PHI.
The law firm cited a 2014 ruling by the Connecticut Supreme Court which held that breaches of PHI can expose healthcare providers to claims of negligence brought by individuals under state law.
In Byrne v. Avery Center for Obstetrics and Gynecology, a healthcare provider in response to a subpoena provided the plaintiff’s medical records in a paternity action without notifying the plaintiff or objecting to the subpoena, as required by HIPAA.
The court in that case ruled that the plaintiff’s claims were not preempted by HIPAA.
*This story has been updated with information from the Wall Street Journal report.