Quest Diagnostics is notifying some employees that some of their personal information was inadvertently attached to an email sent outside the company.
The email gaffe occurred on November 17, when a report containing employee information was attached to an email sent to two individuals with whom the firm has a business relationship. The error was reported to them on November 21, but management did not become aware of the issue until December 11. At that time, Quest determined that the two recipients routinely handled confidential information for their firms, and the recipients affirmed that the emails had been deleted and not disseminated further.
The breach impacted employees and/or their spouses or partners who started or completed a Wellness questionnaire; made an appointment or were a walk-in at a PSC for their lab draw; or, had their lab work completed between October 8 and November 15.
No medical or lab results were included in the report, but names, addresses, dates of birth, Social Security numbers, Quest Employee ID numbers (for employees), and any email addresses used for sign-up were included.
Quest offered those affected complimentary services with Experian.
A copy of the notification letter is available on the California Attorney General’s web site, here.
Updated 1-14-2015: The breach affected 571 Maryland residents. The total number affected nationwide was not disclosed.