November 14, 2019

November 13, 2019

Subscribe to Latest Legal News and Analysis

November 12, 2019

Subscribe to Latest Legal News and Analysis

November 11, 2019

Subscribe to Latest Legal News and Analysis

Employers and Wellness Plans: Questions about Quest Breach?

Last week, we wrote that Quest Diagnostics reported in a security filing that a collection agency performing collections for the company had suffered an intrusion that exposed almost 12 million individuals’ personal and financial information [view related post]. Another lab company reported days later that it was notified that the information of 8 million of its patients had been compromised as well; that total is now almost 20 million.

What we have been able to learn is that the records compromised were only those in collections, not all lab records. The Connecticut and Illinois Attorneys General are both investigating the facts.

Many self-funded health plans and wellness plans have asked us what to do if they use these two lab companies. Here are some thoughts.

First, we have been told that the self-funded and wellness program products were not affected. If confirmed, this would be good news. This means that normal labs and drug testing that employers perform or employees have taken should not be affected. But any labs that have not been paid, or are in collections, might be affected. Again, it appears that only information of collection cases is involved.

Nonetheless, there is a lot of confusion about the personal information of employees that may have been impacted, and about how to communicate with employees, who are understandably nervous and may have questions for employers and wellness plans.

The lab companies have not yet been told which patients’ personal information was compromised, so it is hard to evaluate which employees’ information, if any, was involved. The lab companies are trying to find that out from the collection agency, but this has not yet been accomplished.

Employees are asking questions, and most companies want to assist their employees, so they are trying to figure out next steps. Employees generally appreciate transparency about what their employer has been told by the lab company. Let them know in an email or other correspondence that you are trying to find out who was impacted, if anyone. If the lab company confirms that the only people who were impacted are those whose bills are in collection, and that affected employees are required to be notified under state or federal law, pass that information along, so they know they will be notified if their information was compromised.

Let them know that you are working on it, that you are in touch with the lab company to find out who was impacted, and that you will assist, if possible, your employees/members in the event their information was compromised.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence
Partner

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...

401-709-3353