LabCorp slapped with shareholder suit over data breaches

Zack Whittaker
·1 min read
Laboratory Corporation of America Holdings (LabCorp) phlebotomist Shavonne Randolph processes a urine sample at a Community Clinic Inc. health center in Silver Spring, Maryland, U.S., on Wednesday, April 8, 2015. Led by the American Medical Association, three of the top five spenders on congressional lobbying have waged a campaign to urge Congress to revamp the way Medicare pays physicians and end the cycle of "doc fix" patches. Senate leaders predict quick action on House-passed legislation when Congress returns April 13 from its two-week recess. Photographer: Andrew Harrer/Bloomberg via Getty Images
Laboratory Corporation of America Holdings (LabCorp) phlebotomist Shavonne Randolph processes a urine sample at a Community Clinic Inc. health center in Silver Spring, Maryland, U.S., on Wednesday, April 8, 2015. Led by the American Medical Association, three of the top five spenders on congressional lobbying have waged a campaign to urge Congress to revamp the way Medicare pays physicians and end the cycle of "doc fix" patches. Senate leaders predict quick action on House-passed legislation when Congress returns April 13 from its two-week recess. Photographer: Andrew Harrer/Bloomberg via Getty Images

A LabCorp shareholder has filed a lawsuit against the laboratory giant, accusing its board of concealing details of two data breaches that affected millions of patients.

The derivative suit, filed on Tuesday by shareholder Raymond Eugenio, targets the company's leadership and board members, including its chief executive, Adam Schechter.

The first breach hit third-party billing provider AMCA in 2019, affecting 7.7 million LabCorp patients and millions more from other lab test providers, including Quest and BioReference. A second security lapse (discovered by TechCrunch earlier this year involving the exposure of thousands of patient documents) was also referenced in the suit.

At the heart of the complaint, the shareholder claims LabCorp's "insufficient cybersecurity procedures" contributed in part to the two security incidents, and that the board fell short of its fiduciary duty by not disclosing the security incidents to shareholders. LabCorp also is accused of not informing patients and customers of the breach, and the suit claims the company did not properly inform attorney generals' offices within the time given under state data breach notification laws.

The suit also accuses LabCorp of failing to "disclose this breach in any widely disseminated public release or SEC filing," adding that the incidents noted in the complaint were "unlawfully concealed from LabCorp shareholders."

LabCorp spokesperson Mike Geller said the lawsuit "will be vigorously defended."

News of the suit was first reported by Bloomberg Law. You can read the complaint here.