A shareholder of LabCorp is filing a lawsuit against the company and its management and directors for the loss in share value that was a result of two cyberattacks encountered by the LapCorp in the last year.
LabCorp was terribly impacted by the data breach that occurred in 2019 involving American Medical Collection Agency (AMCA), a medical debt collection firm. The hackers who accessed AMCA’s systems acquired the information of 10,251,784 patients who availed LabCorp’s services. The breach affected about 24 of AMCA’s customers.
TechCrunch reported another LabCorp data breach in January 2020 which affected about 10,000 LabCorp records, which the legal action claims was not disclosed to the public by AMCA nor stated in any SEC submissions. The breach was caused by a site misconfiguration and made it possible for the records to be accessible to any individual. The breach was likewise not submitted to the HHS’ Office for Civil Rights, though TechCrunch researchers affirmed that the files were comprised of patient information.
Raymond Eugenio owns shares in LabCorp that lost value because of the data breaches and filed the legal case on April 23, 2020 to retrieve those and other lost profits. As per the lawsuit, the defendants are LabCorp including 12 of the firm’s directors and executives, which include LabCorp Director Adam Schechter, CIO Lance Berberian and CFO Glenn Eisenberg.
The lawsuit states that before to the AMCA data breach and afterwards, LabCorp didn’t use proper cybersecurity measures and had no enough supervision of cybersecurity, which directly caused the two breaches.
In a filing with the SEC, LabCorp stated the company expended $11.5 million for the AMCA data breach in 2019 as well as remediation expenses, nevertheless, the lawsuit states that the number is merely a portion of the overall losses and doesn’t include the value of litigation that ensued. A few class-action lawsuits were submitted by the AMCA data breach victims that identified LabCorp and so the shareholders have no knowledge about the overall lost values. The legal case likewise says that the second breach hasn’t been verified publicly or in SEC filings. Consequently, Eugenio states that LabCorp was unsuccessful in its duty to its shareholders and failed in its duties of commitment, health care, and good faith.
The lawsuit states LabCorp
- didn’t execute useful internal guidelines, measures, and controls to secure patient info,
- there was not enough oversight of state and federal rules compliance and its internal guidelines and processes
- was unable to have enough data breach response package set up
- PHI was given to AMCA with no guarantee the company had adequate cybersecurity controls in position, LabCorp didn’t make certain that the persons and entities impacted by the breach were discovered promptly, and that the organization didn’t make sufficient public disclosures concerning the data breaches.
The legal action wishes to get refund for harm endured because of the breaches and public acceptance of the January 2020 breach. The lawsuit furthermore demands a change of corporate governance and internal processes and calls for a board-level committee to be established and the designation of an executive officer to make certain enough monitoring of information security.