[BreachExchange] Quest Diagnostics Proposed Breach Settlement Approved

[Destry Winant]

https://www.databreachtoday.com/quest-diagnostics-proposed-breach-settlement-approved-a-13305

A federal court has given preliminary approval for a $195,000
settlement of a class action lawsuit filed against medical testing
laboratory Quest Diagnostics in connection with a 2016 data breach
affecting 34,000 individuals that exposed HIV-testing information of
some patients.

The agreement, which was negotiated by mediators and approved on Oct.
25 by a New Jersey U.S. district court judge, settles a class action
filed in 2017 in the aftermath of a November 2016 hacking incident
involving Quest's MyQuest by Care360 internet application. The
settlement comes after plaintiffs filed their original complaint in
2017 and then subsequently filed two amended complaints.

In a breach notification statement issued in 2016, Quest Diagnostics
said that "an unauthorized third party" accessed the web application
and obtained protected health information of approximately 34,000
patients.

The lawsuit against Quest Diagnostics alleges, among other claims,
that the Secaucus, New Jersey-based company failed to safeguard its
clients' PHI - including laboratory test results and personal
identifying information such as names, dates of birth, and phone
numbers - and also failed to provide "timely, accurate and adequate
notice to plaintiffs and other class members that their private
information had been stolen."

In a statement provided to Information Security Media Group, Quest
Diagnostics says that while the company "continues to believe that the
claims brought by the plaintiff are meritless, the company decided to
resolve the issue now to avoid protracted litigation and associated
costs."

Settlement Details

Under the settlement, lawsuit class members who submit claims showing
monetary losses resulting from the incident can receive $250 each.
Class members whose HIV test results were disclosed in the incident
will be paid $75. So the maximum payment to any class member is $325.

Neither Quest Diagnostics nor attorneys representing plaintiffs in the
lawsuit immediately responded to ISMG's inquiry about approximately
how many individuals affected in the data breach had their HIV testing
information compromised.

Sensitive Data

Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg
P.C., who is not involved in the case, says that the settlement
spotlights the importance of properly securing sensitive health
information.

"What is interesting here is that although it remains with the
individual class members to provide proof of any monetary damages, the
court permitted a fixed - albeit low - settlement payment to those
class members whose HIV health information was exfiltrated," he says.

"HIPAA treats certain health-related information - such as substance
addiction, HIV status and psychotherapy - as needing elevated
protection, and the court's acceptance of this carve-out indicates
that the unauthorized disclosure of extra-sensitive protected health
information carries with a presumption of injury, and Article III
standing."

Article III standing demonstrates to a court that a party suffered
some sort of harm by another's actions.

Other Settlements

A number of class action settlements have been reached in other cases
involving a breach of HIV-related treatment or testing data.

For example, Aetna reached several settlements for lawsuits stemming
from a July 2017 mailing mishap in which a vendor sent letters to
health plan members that revealed through the envelope's oversized
clear windows that the recipient was taking HIV-related medication.

Aetna signed settlements totaling about $3 million with several
states' attorneys as well as a $17.2 million settlement of a class
action lawsuit filed against the company on behalf of affected
individuals.

"The victims in the Aetna case whose PHI was disclosed could receive a
base payment of $75," says privacy attorney David Holtzman of the
security consultancy CynergisTek. But the Aetna claimants were
entitled to $500 if they received a large window envelope from Aetna
that would have more likely disclosed their HIV status and up to
$20,000 by documenting financial or emotional harm, he notes.

"Perhaps distinguishing the significantly lower award in the Quest
case, it is not known how many individuals whose test data was
disclosed had been diagnosed with HIV or if there was evidence to the
extent that the PHI had been acquired or viewed," Holtzman adds.

The $250 payments for those who can show evidence of monetary losses
resulting from the Quest Diagnostics breach are meant to compensate
for identity theft, purchasing credit or identity monitoring services
or other documented expenses, Holtzman notes.

"Individuals whose test results were disclosed and can demonstrate
significant financial, reputational or emotional harm may choose to
decline this settlement to pursue their own lawsuit against Quest in
hopes of convincing a court that the breach was preventable and they
are due money damages," he adds.

While the volume of "extra sensitive health information" - such as HIV
or mental health records - may be small in comparison to the totality
of PHI maintained by most healthcare providers, "it is by no means
insignificant," notes attorney Teppler.

"In a way, this speaks to the larger issue of protecting all PHI from
unauthorized disclosure - and for providers, it makes sense to make
these extra protections global and not just for extra- sensitive PHI."

Critical Issues

Independent HIPAA attorney Paul Hales, who was not involved in the
case, says the court's approval of the settlement is significant
because it contains two key findings.

"First, the court has jurisdiction over the subject matter of the
lawsuit, which consists of allegations of negligence, breach of
contract and violation of New Jersey law based on Quest's failure to
protect health information required by HIPAA," he says.

Second, good cause exists for the court to certify the lawsuit is a
class action, he adds.

"These are two critical issues for similar lawsuits," Hales says. "The
settlement itself has no precedential value and reflects the
difficulty in quantifying an amount of damages and overcoming
arguments by excellent defense lawyers. However, if courts agree that
they have subject matter jurisdiction over these types of lawsuits and
that a plaintiff may effectively represent a class of individuals who
suffered harm, the door will open wider for people aggrieved by health
information breaches."

Other Breach Lawsuits

Quest Diagnostics is also named as one of several co-defendants in a
number of class action lawsuits filed in the wake of the American
Medical Collection Agency hacking breach, which was revealed earlier
this year.

In that incident, more than 12 million patients who had lab tests
performed by Quest Diagnostics had their data potentially exposed.