Quest Diagnostics and LabCorp Report Major Data Breaches Caused by a Business Associate

Quest Diagnostics (Quest) and LabCorp each reported in their respective 8-K filings with the Security and Exchange Commission that the companies had been notified by American Medical Collection Agency (AMCA), a billing collections vendor, that between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from both companies. The number of affected individuals is estimated to be 11.9 million and 7.7 million for Quest and LabCorp respectively. The type of information potentially exposed includes credit card and bank account numbers, medical information and personal information such as Social Security numbers.

Both Quest and LabCorp are “Covered Entities” as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and AMCA is a “Business Associate” of the two companies. The unauthorized access to AMCA’s system constitutes a “Breach” of Protected Health Information (PHI) that is the responsibility of the Covered Entities. The obligations of Quest and LabCorp created by this Breach are significant. At a minimum the two companies must report the Breach to the Office of Civil Rights, notify each affected individual, and provide certain additional services to the affected individuals. The compliance with HIPAA Breach reporting requirements will cost millions of dollars for each company. These costs may be covered in part by cyber insurance, but in Quest’s filing it stated the “insurance is limited in amount and subject to a deductible.” The companies are likely to incur significant additional expenses related to the Breach including, investigative costs, potential fines, and legal fees. There is also the risk of legal action by affected individuals. Finally, there are a myriad of state laws across the country that protect consumers from data breaches, separate and apart from HIPAA, that may be implicated, exposing the companies to additional liability.

The reports of HIPAA Breaches by these two companies illustrates the need for all Covered Entities, including hospitals, physician practices, laboratories and pharmacies, to be particularly vigilant when engaging third-parties to provide services that require the Covered Entity to disclose PHI. Many healthcare providers utilize third-party billing and technology companies that receive massive amounts of PHI. The Covered Entity is responsible for the security of the data disclosed. It is critical that Covered Entities have robust Business Associate Agreements (BAA) in place with any entity receiving PHI. Key provisions of a well drafted BAA included indemnification by the Business Associate for any Breach as well as requirements that the Business Associate maintain sufficient cyber insurance coverage to cover the cost of a Breach.

Frier Levitt has advised hundreds of clients on HIPAA, and data security and privacy, including the creation of HIPAA plans, Breach reporting, and performing risk assessments. Frier Levitt is well-qualified to draft BAAs that provide the requisite protection to Covered Entities, as well as reviewing and revising BAAs presented to Covered Entities by Business Associates. Contact Frier Levitt today for assistance with any HIPAA issue.