LabCorp suffered two data breaches in under a year and was one of two dozen companies affected by the 2019 American Medical Collection Agency breach.
In a sustained and catastrophic breach that went unnoticed for eight months, hackers compromised the systems of AMCA, gaining access to the data of about 7.7 million LabCorp patients. Following the incident, several lawsuits were filed by patients against AMCA and LabCorp.
LabCorp’s second data breach took place in January 2020, when the misconfiguration of a website resulted in 10,000 company documents’ accidentally being made available to the public.
Shareholder Raymond Eugenio has filed a suit against LabCorp and its 12 directors and executives in an attempt to recoup share value losses that occurred following the two unfortunate cybersecurity incidents.
In his suit, filed at the end of April in the court of chancery of the state of Delaware, Eugenio claims LabCorp failed to publicly disclose the 2020 breach or mention it in any filing with the Securities and Exchange Commission.
At the time of going to press, the incident had not been listed on the reporting tool run by the Department of Health and Human Services. The department requires that all breaches of unsecured protected health information affecting 500 or more individuals should be reported and listed publicly.
The plaintiff slams LabCorp’s cybersecurity measures as “historically and persistently deficient” and alleges that the company’s failure to implement adequate security protection led directly to the two data breaches.
LabCorp’s breach response and remediation following the AMCA breach cost the company $11.5m, according to an earlier SEC filing. Eugenio’s suit suggests that this amount is a drop in the ocean compared to the real losses incurred by the breach as it excludes litigation costs paid by the company when settling the lawsuits that followed.
Eugenio is seeking reimbursement for damages incurred by the breaches and wants LabCorp to publicly acknowledge the second breach. He also wants corporate governance and internal procedures at the company to be overhauled to prevent further cybersecurity calamities.
Source: Infosecurity Magazine