Quest’s ReproSource faces patient lawsuit over data breach impacting 350K patients

Jessica Davis reports:

One month after notifying 350,000 patients of a potential theft of their protected health information, ReproSource Fertility Diagnostics has been sued by a patient over alleged security failings. ReproSource is a clinical laboratory for fertility specialists and a subsidiary of Quest Diagnostics.

First disclosed Oct. 8, an attacker hacked into the ReproSource network in early August. The security team detected the intrusion two days later when the ransomware was deployed, but not before the actor possibly accessed or exfiltrated certain patient health information.

Read more at SC Magazine.

Davis reports that part of the complaint concerns the breach notifications:

However, the lawsuit alleges Quest and ReproSource failed to timely notify patients of the data breach in violation of Massachusetts law, noting that the vendor did not “provide prompt and direct notice of such breach to any affected Massachusetts residents, to the Massachusetts attorney general, and to the director of consumer affairs and business regulation for” the state.

“ReproSource’s notice of data breach was not just untimely but woefully deficient, failing to provide basic details, including but not limited to, how unauthorized parties accessed its networks, whether the information was encrypted or otherwise protected,” how it discovered the intrusion, the impacted systems, or whether the servers storing patient data were accessed.

What Massachusetts law requires as part of notifications to the state is different than what entities are required to disclose to consumers or patients. According to the commonwealth’s website:

The notice to affected consumer should:


  • Consumer’s right to obtain a police report
  • Information on how to request a security freeze at no charge
  • Information needed to request a security freeze
  • Information on complimentary credit monitoring services
  • Name of the parent organization and subsidiary organizations affected

NOT include

  • The nature of the breach or unauthorized acquisition or use
  • The number of Massachusetts residents affected by the security breach or the unauthorized access or use

About the author: Dissent

Comments are closed.