Advertisement

LabCorp investors file lawsuit, alleging ‘persistent’ failure to secure data

Burlington, North Carolina-based LabCorp never informed shareholders about the exposure of sensitive information this year, the lawsuit states.
LabCorp
( Flickr user <a href="https://flic.kr/p/6KEqAB">s2n82</a> / remixed by Greg Otto)

LabCorp investors have filed a lawsuit against the company following a major data breach last year that was one of three cybersecurity incidents the company has faced since 2018.

The suit, filed by shareholder Raymond Eugenio on behalf of LabCorp investors, alleges that the medical testing company’s chief executive, chief financial officer, chief information officer and its board of directors failed to address “persistently deficient” data protection measures.

The legal complaint, first reported by Bloomberg, involves a hack on the American Medical Collection Agency (AMCA), a debt collection agency which made collections on behalf of LabCorp and other medical companies. Hackers stole data about roughly 20 million people, including some 7.7 LabCorp patients, between August 2018 and March 2019. In a separate incident, LabCorp exposed 10,000 medical documents, including patient test results, according to a TechCrunch article published in January.

Burlington, North Carolina-based LabCorp never informed shareholders about the exposure of sensitive information this year, the lawsuit states. Investors also claim that 10.2 million LabCorp patients were affected by the AMCA breach, a higher figure than the 7.7 million people initially thought to be affected. The company’s failure to improve its security after the initial breach contributed to the data exposure, the suit also alleged.

Advertisement

“In light of LabCorp’s history of information security challenges, the company has both the knowledge and responsibility to heighten information security standards and processes to better protect the patients it serves,” the suit states.

Attackers previously infected LabCorp with ransomware in a separate cyberattack in mid-2018, resulting in system outages which lasted for days.

This suit comes after shareholders in Zoom, the San Jose-based maker of video-conferencing software, accused executives of fraud in connections with the company’s data protection strategies. By failing to disclose security vulnerabilities, and minimizing the extent to which unauthorized outsiders could have accessed data, plaintiffs alleged, Zoom leadership cost investors money.

The LabCorp lawsuit follows a similar logic. The medical testing company is subjecting shareholders to “continuing harm because the adverse consequences of the actions are still in effect and ongoing,” the suit states.

Meanwhile, the lawsuit likely only adds to the list of concerns at LabCorp. The company reported a net loss of $317.2 million in the first quarter of 2020, citing higher costs and lower demand due to the coronavirus pandemic.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts