Industry Regulations, Breach, Ransomware

Quest’s ReproSource faces patient lawsuit over data breach impacting 350K patients

ReproSource Fertility Diagnostics, a subsidiary of Quest Diagnostics, notified about 350,000 patients that their data was potentially accessed or acquired in a ransomware attack. (Quest Diagnostics)

One month after notifying 350,000 patients of a potential theft of their protected health information, ReproSource Fertility Diagnostics has been sued by a patient over alleged security failings. ReproSource is a clinical laboratory for fertility specialists and a subsidiary of Quest Diagnostics.

First disclosed Oct. 8, an attacker hacked into the ReproSource network in early August. The security team detected the intrusion two days later when the ransomware was deployed, but not before the actor possibly accessed or exfiltrated certain patient health information.

The notice explained that the investigation was ongoing, but the analysts were able to determine the type of data impacted by the incident that varied by patient, such as medical histories, test reports, CPT and diagnosis codes, and other data provided to the physician, as well as billing and further health data.

Quest officials informed patients of the ongoing investigation and that a follow-up disclosure may be released at its completion.

However, the lawsuit alleges Quest and ReproSource failed to timely notify patients of the data breach in violation of Massachusetts law, noting that the vendor did not “provide prompt and direct notice of such breach to any affected Massachusetts residents, to the Massachusetts attorney general, and to the director of consumer affairs and business regulation for” the state.

“ReproSource’s notice of data breach was not just untimely but woefully deficient, failing to provide basic details, including but not limited to, how unauthorized parties accessed its networks, whether the information was encrypted or otherwise protected,” how it discovered the intrusion, the impacted systems, or whether the servers storing patient data were accessed.

It should be noted that the breach disclosure was within the 60-day timeframe required by The Health Insurance Portability and Accountability Act.

The lawsuit claims the breach was caused by ReproSource failing to take reasonable measures to protect patient data, detailing the elements recommended by a number of cybersecurity leaders. 

The suit outlines the ongoing attacks against the healthcare sector that have plagued the sector and asserts that the breach could have been prevented if these measures were implemented. 

“ReproSource failed, however, to take adequate cybersecurity measures to prevent the data breach from occurring,” according to the lawsuit. “With respect to training, ReproSource specifically failed to implement a variety of anti-ransomware training tools.”

ReproSource is also accused of failing to “perform regular training at defined intervals such as bi-annual training and/or monthly security updates” and failing to “craft and tailor different approaches to different employees based on their base knowledge about technology and cybersecurity.”

The lawsuit further alleges that RepoSource violated HIPAA and Federal Trade Commission regulations.

As a result, the breach victims are now at risk of identity theft and other harms. The patient who filed the lawsuit “received a cryptically written notice letter from ReproSource stating that her information was released.” However, the publicly displayed breach notification instead stated that the investigation could not confirm if any protected health information was acquired.

It’s unclear how the lawsuit will proceed, as no actual harm has been presented as a direct result of the breach outside of time spent on defending against identity theft. In June, the Supreme Court ruled that only individuals “concretely harmed” by a breach violation have standing to seek damages against an entity.

For comparison, Eskenazi Health is allegedly facing a similar lawsuit after notifying 1.5 million patients of a ransomware-related data breach. The Indiana-based health system swiftly notified patients of the data theft and dark web leak, just weeks after discovering the incident.

In that lawsuit, a patient revealed her credit card was fraudulently used and an actor attempted to change her name on her credit report. The patient has lost money and time to repair the damage allegedly caused by the breach.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.