The headlines splashed the news about another data breach: this one from Quest Diagnostics, and just days later from LabCorp. Both reported the breaches in recent Securities and Exchange Commission filings. The filings note that a contractor of both, American Medical Collection Agency (AMCA), used for billing and collections matters, reported the breach but did not yet have information about what specific data was accessed.
Quest noted that no lab results were provided to the contractor but did indicate there may have been medical information accessed. It is not clear how that type of vendor could have medical information from Quest if no lab results were shared, but that statement, potentially, raises concerns from a HIPAA privacy perspective.
There were some differences in the LabCorp disclosure. LabCorp notes it provided no data about tests ordered, laboratory results or diagnostic information to AMCA, and AMCA has advised LabCorp that Social Security numbers and insurance identification information are not stored or maintained for LabCorp consumers. LabCorp’s disclosure made no mention of medical information being accessed. Therefore, presumably, there is a lesser likelihood that there is a HIPAA violation in the LabCorp breach.
What, if anything, should an employer that sponsors a group medical plan do?
It is not yet known the extent of the data breach and whether any protected health information (PHI) was affected. Both Quest and LabCorp indicate no lab-related information was compromised, so it may be that there was no data breach attributable to any group health plan.
HIPAA privacy rules require any covered entity or business associate of a group medical plan to comply with the HIPAA privacy obligations. The Department of Health and Human Services recently updated its guidance on HIPAA obligations for plan business associates, reiterating those obligations.
Quest, LabCorp, any of their subcontractors that access PHI, and any of their other business associates, will be responsible for mitigating potential negative effects from the release of any PHI. Since there isn’t enough information to act, employers cannot take affirmative action at this time. That does not mean employers should just ignore this and hope it goes away. Employers should continue to monitor the situation and, if PHI was released, push Quest and LabCorp to mitigate any negative effects at that time.
Is there a remedy for this kind of breach?
Typically, in these situations, the compromised companies have offered affected individuals credit monitoring services for a year or so with no charge. LabCorp specifically noted that AMCA is going to make the offer of free credit monitoring for 24 months for affected individuals. Employers and their employees will need to determine whether they want to take advantage of the offer.
Lockton comment: The offers for credit monitoring at no cost have become a routine response to these types of data breaches. Since the affected individuals do not have to pay for the service, accepting the offer does not have a major downside. However, many commentators question the utility of the monitoring services in these situations, and the affected individuals should not expect the monitoring services to fix any issues that might arise because of the data breach.