A class-action lawsuit has been filed against a pair of healthcare providers, alleging they violated state law in California by sending confidential medical information to a third-party collection agency, which was subsequently publicized as a result of a data breach.
The plaintiff, Gregory Bratten, is suing Quest Diagnostics and Optum360 for allegedly violating the California Confidentiality of Medical Information Act (CMIA), which requires healthcare providers to only share medical information when authorized to do so by a patient, except under a few circumstances. None of those exceptions are for collecting unpaid debts. Information can be shared to help agencies collect on debts, but medical information does not need to be part of the information that is shared.
The plaintiff received a blood test at a Quest facility and failed to pay the bill, which led to his account being placed with American Medical Collection Agency. AMCA was the victim of a data breach back in 2019 that exposed the personal and medical information of 12 million individuals. AMCA filed for bankruptcy protection following the breach, which occurred when an unauthorized user gained access to the agency’s online payment portal. The unauthorized user had accessed the portal for more than six months when the breach was discovered.
“Quest Diagnostics neglected patient privacy and clearly violated the California Confidentiality of Medical Information Act. We are committed to ensuring that Quest is held accountable for recklessly mismanaging sensitive patient information,” said Christopher Ayers, partner at Seeger Weiss, who is participating in the lawsuit, in a published report. The suit seeks damages, attorney’s fees, and an order prohibiting Quest from unlawfully disclosing medical information of its patients.