Legal action was filed against Quest Diagnostics and ReproSource Fertility Diagnostics, its subsidiary, in the US District Court for the District of Massachusetts because of a ransomware attack in August 2021 that impacted 350,000 individuals.
On October 8, 2021, ReproSource began distributing notification letters to impacted individuals telling them about the potential access or theft of some of their protected health information (PHI) before the ransomware was used for files encryption. The types of information kept on the area that the attackers accessed included names, birth dates, test data, medical backgrounds, diagnosis codes, billing details, Social Security numbers, and other data.
Although breach notification letters were dispatched within 60 days as required by HIPAA, the lawsuit states Quest and ReproSource did not send prompt notifications to patients, which is a violation of Massachusetts law. In addition, the notification letters that were issued over a month after the attack were missing essential details regarding the breach, for instance, whether or not the attackers accessed the servers that kept patient information, whether information on those servers had been encrypted, the nature of the attack, and which systems were impacted. Jasmyn Bickham, the patient identified in the lawsuit, states that the letter she got said her PHI was released, although the breach notice posted on its site did not state if the hackers acquired patients’ data.
The lawsuit claims the hackers had acquired access to ReproSource’s systems due to the inability to employ proper safety measures to secure patient information, as is demanded by the HIPAA Security Law. If only measures were enforced, there would probably be no ransomware attack or data breach. The lawsuit claims the inability to secure information violated a number of state and federal regulations, and the security problems were particularly egregious because of the number of notices given to the healthcare sector with regards to the growing ransomware attacks.
As per HIPAA, employees must be provided with security awareness training. The lawsuit claims there is a violation of HIPAA and Federal Trade Commission rules for the failure to train employees. No security awareness training had been given at specified periods and the training program was not customized to workers with varying levels of understanding regarding cybersecurity and technology.
The lawsuit claims there was a breach of contract, breach of fiduciary duty, breach of implied contract, and negligence and wants class-action status. Allegedly, patients impacted by the breach faced a higher threat of identity theft and fraud, and spent time keeping themselves secure against identity theft and fraud.
The lawsuit wants actual, compensatory, punitive, and statutory compensation, attorneys’ service fees, and wants ReproSource to improve its security systems and give back wrongfully kept income. Also, the lawsuit wants the plaintiff and class members to have a minimum of 3 years of credit monitoring services. ReproSource just provided a year of credit monitoring services to impacted persons.