CIO Is Among a Dozen LabCorp Executives, Directors Named in Lawsuit
A shareholder has filed a lawsuit against LabCorp and 12 of its executives and directors – including the medical testing company’s CIO – over two data breaches, including the 2019 breach of one of its vendors, American Medical Collection Agency, which affected millions of patients.
In the lawsuit filed on April 23, shareholder Raymond Eugenio alleges that Burlington, N.C.-based LabCorp’s leadership failed to address cybersecurity weaknesses and adequately notify breach victims and shareholders about the two incidents.
The lawsuit seeks to hold LabCorp’s leadership accountable for “damages” sustained by the company due to the breaches and force the company to make changes in its “governance and internal procedures” to prevent future breaches.
The legal action makes an important and often overlooked point, says independent HIPAA attorney Paul Hales, who is not involved in the case.
“Top management is fully responsible for an organization’s compliance with health information privacy laws,” he says. “They may delegate authority to privacy and security officials who develop and implement a HIPAA compliance program. But they cannot delegate responsibility. And in delegating authority, they must ensure and regularly confirm that HIPAA compliance officials have sufficient resources, training and are doing the job properly.”
2 Security Incidents
The lawsuit focuses on two breaches, including the AMCA incident that affected about 10.2 million patients of LabCorp, as well as many others.
The lawsuit also claims that LabCorp failed to publicly report another data breach in early 2020 involving about 10,000 documents that the company left exposed on a website, according to a January report in TechCrunch.
“Although LabCorp was aware of the [alleged] second breach reported by TechCrunch in January 2020, the company has failed to disclose this breach in any widely disseminated public release or SEC filing,” the shareholder lawsuit alleges.
As of Thursday, the January 2020 LabCorp incident was not on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.
LabCorp did not immediately respond to Information Security Media Group’s request for comment.
Board Members, Executives Are Defendants
Among the 12 individual defendants named in the shareholder’s lawsuit is Lance Berberian, LabCorp’s chief information and technology officer.
Also named as defendants is Glenn Eisenberg, LabCorp’s CFO, and Adam Schechter, who court documents note has been a director of the company since April 2013 but began serving as LabCorp’s president and CEO effective Nov. 1, 2019.
Nine LabCorp directors, who are also members of the company’s various audit, compliance and governance committees, were named as defendants as well.
Security Shortcomings Alleged
The lawsuit claims that, prior to and subsequent to the AMCA breach, LabCorp continued to have insufficient cybersecurity procedures and oversight.
“This shareholder derivative suit is a highly unusual way of trying to recover damages stemming from a health information breach.”
—Paul Hales, independent attorney
LabCorp disclosed in SEC filings that the company spent $11.5 million during 2019 for response and remediation costs related to the AMCA breach, the lawsuit states.
“The amount disclosed by LabCorp does not include or contemplate the extensive litigation costs resulting from the [AMCA] breach,” the shareholder’s lawsuit notes, referring to separate class action lawsuits that have been filed against LabCorp, other victim companies and AMCA.
The company also has not disclosed how much it anticipates the AMCA breach could cost in subsequent years, nor has it disclosed any costs associated with the second alleged 2020 breach, the lawsuit states.
The shareholder’s lawsuit further alleges that LabCorp’s board disregarded its duties to provide timely notice of the data breaches to affected individuals.
“The individual defendants breached their duties of loyalty, care and good faith” in a variety of ways, the shareholder’s lawsuit alleges. That includes:
- Failing to implement and enforce a system of effective internal controls and procedures to protect patients’ information;
- Failing to exercise their oversight duties by not monitoring LabCorp’s compliance with its own procedures and federal and state regulations;
- Providing PII and PHI of patients to AMCA – a business associate under HIPAA – with deficient cybersecurity and breach detection;
- Failing to ensure that LabCorp, as well as its business associates, used proper cybersecurity safeguards;
- Failing to have a sufficient incident response plan to immediately respond to data breaches;
- Disregarding, delaying and failing to ensure that the company notified all potentially affected individuals and entities in a timely manner upon discovering the data breaches;
- Failing to make adequate public disclosure of the data breaches as required under state and federal laws and regulations.
“LabCorp’s credibility, reputation, and goodwill have likewise been damaged, and the company remains exposed to significant potential liability,” the lawsuit alleges.
The lawsuit asks the court to:
- Direct the defendants to account for all damages sustained as a result of the breaches;
- Require the company to reform its corporate governance and internal procedures;
- Require the company to create a board-level committee and executive officer position for the oversight of data security;
- Order a disclosure of information about the January 2020 breach.
An attorney at a law firm representing the Labcorp shareholder in his lawsuit against the medical testing company did not immediately respond to an ISMG request for comment.
Unusual Legal Action
Some experts note that a lawsuit filed by a shareholder of public company following a data security incident is uncommon.
“This shareholder derivative suit is a highly unusual way of trying to recover damages stemming from a health information breach,” says independent HIPAA attorney Paul Hales.
“The nominal plaintiff is LabCorp. A shareholder on behalf of LabCorp has brought this lawsuit against LabCorp’s directors and officers alleging their failure to manage the corporation properly resulted in the breaches and consequently damaged LabCorp and its owners, the shareholders.”
Privacy attorney David Holtzman of the security consultancy CynergisTek offers a similar perspective.
“While the number of data breaches involving publicly traded companies and media coverage of these incidents has seen a substantial increase over the last several years, there has been a smaller increase in shareholder lawsuits alleging the value of their investment lost value because of the breach,” he says.
“These actions typically rest on claims that either the company misled investors in misrepresented the strength of their information security protections. Or, the company withheld or was too slow in disclosing a breach after it became aware of it.”
But these claims typically face significant obstacles in “proving that the company’s officers and directors engaged in conduct that would make them liable for damages,” Holtzman notes.
Other Shareholder Lawsuits
Among other shareholder lawsuits involving security matters include those filed against Zoom that accuse the video chat vendor of not disclosing known security and privacy vulnerabilities, Holtzman notes.
“Shareholders accuse Zoom of having inadequate data privacy and security measures and falsely claiming that the video conferencing service transmission’s were ‘end-to-end encrypted’,” he says.
“The lawsuits claim that media reports and public statements by the company on its security problems have caused Zoom’s stock price to drop.”