Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 1 of 13

Sheehan & Associates, P.C.
Spencer Sheehan
505 Northern Blvd., Suite 311
Great Neck, NY 11021
(516) 303-0552
spencer@spencersheehan.com
United States District Court
Southern District of New York

7:19-cv-05216

Brian Lanouette, Jane Doe, individually and
on behalf of all others similarly situated
Plaintiffs
- against -

Complaint

Retrieval-Masters Creditors Bureau, Inc.,
Optum360, LLC and Quest Diagnostics
Incorporated
Defendants
Plaintiffs by attorneys alleges upon information and belief, except for allegations
pertaining to plaintiff, which are based on personal knowledge:
1.

Retrieval-Masters Creditors Bureau, Inc., Optum360, LLC and Quest Diagnostics

Incorporated (“defendant”) obtained and maintained personal and financial data from plaintiff and
class members through defendant Quest Diagnostics’ role as the leading medical laboratory
services provider in the country and world, which in turn contracted with Retrieval Masters Credit
Bureau Inc. (RMCB) d/b/a American Medical Collection Agency and Optum360 to obtain
payment from plaintiff and class members when insurance services did not render full payment.
2.

Defendant Quest solicited and promoted its Products and Services to plaintiff and

class members through multimedia campaigns, direct to consumer promotions and partnerships
with the largest medical insurance and healthcare providers to maintain its status as the leading
laboratory services firm that Americans feel comfortable with.

1

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 2 of 13

3.

The personal, financial and bank account information of plaintiffs and class members

was recently revealed as being compromised from approximately August 2018 to March 2019.
4.

The personal information was disclosed due to the actions of RMCB, who

subcontracted for Optum360, who in turn, subcontracted for Quest Diagnostics.
5.

Though this personal information was unlawfully obtained last year, and defendants

became aware of it at least two months ago, defendants only informed plaintiff and class members
of this recently – the lag in time being crucial when it comes to tightening up potentially
compromised data against intrusions.
6.

While it is uncertain whether plaintiff and class members’ sensitive and HIPAA-

protected medical information was compromised, the fact that the breach occurred and that
cybercriminals obtained account information of plaintiffs and class members makes it likely that
private medical information will or has been disclosed already on the “dark web.”
7.

By cross-referencing the charges imposed on plaintiffs and class members and the

frequency with which they occurred, with defendant Quest Diagnostics’ publicly available fee
schedules, cyber criminals will not have to expend much effort to know, with high probabilities,
which tests were performed on plaintiffs and class members.
8.

By matching the charges with tests for rare genetic disorders, diabetes or more

serious conditions, the medical information of plaintiffs and class members may end up for sale in
the darkest corners of the Internet and used for nefarious purposes.
9.

These consequences are in addition to the hours required to recover from a data

breach, including but not limited to cancelling credit cards, opening new bank accounts, reversing
fraudulently imposed charges, and higher interest rates due to the inevitable decline in credit score
when plaintiffs and class members reasonably do not pay for items and services they did not

2

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 3 of 13

purchase.
10.

Plaintiffs and class members did not have a choice to use defendant Quest’s services,

since it is the largest lab services provider in the country and often the only provider in many areas.
11.

By failing to implement third-party safeguards and quality-control mechanisms,

defendant Quest enabled data thieves to pilfer the account records of persons who used their
services, at the directions of their medical providers.
12.

This failing was due to strict requirements that defendant Quest select the billing

providers that committed to the lowest cost for servicing accounts.
13.

However, the lowest cost to defendant Quest has resulted in a higher cost being

imposed on plaintiff and class members.
14.

Defendants are jointly and severally liable for all consequences of the data breach

incident (“DBI”).
15.

Defendant Quest retained, supervised, controlled, directed and authorized all actions

of defendants Optum and RMCB which resulted in plaintiff and class members’ personal
information being compromised.
16.

Reports have indicated that if defendants took reasonable, industry-standard steps

and followed “best practices,” either this DBI would not have occurred or it would not have lasted
as long as it did, and the harms to plaintiff and class members would have been mitigated.
17.

If Defendants had done these tasks, it is more likely than not that the breach would

have not occurred, or at least, its effect would have been minimized.
18.

Plaintiffs and class members have and will endure loss of use of and access to bank

and credit card accounts which will snowball to the inability to make required payments on rent,
mortgages, cars and utilities.

3

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 4 of 13

Jurisdiction and Venue
19.

Jurisdiction is proper pursuant to 28 U.S.C. § 1332(d)(2).

20.

Upon information and belief, the aggregate amount in controversy is more than

$5,000,000.00, exclusive of interests and costs.
21.

This court has personal jurisdiction over defendants because they conduct and

transact business, contract to supply and supply goods within New York.
22.

Venue is proper because the defendant identified as responsible for the DBI, RMCB

d/b/a American Medical Collection Agency, has its main offices in this district, and defendant
Quest has provided services to, based on estimates, a larger percentage of the population in this
venue than other venues.
23.

A substantial part of events and omissions giving rise to the claims occurred in this

District.
Parties
24.

Plaintiff is a citizen of Hillsborough County, New Hampshire.

25.

John and Jane Doe plaintiffs are citizens of the other 49 states who have been affected

by the conduct alleged here but their true identities are not fully known.
26.

John and Jane Doe may be used in the complaint to refer to representatives of sub-

classes of the various states and at such time their identities will be disclosed.
27.

The allegations as related to laws of other states where no named plaintiff has been

disclosed serves as a placeholder upon joinder or amendment.
28.

Named plaintiff utilized the services of defendant Quest during the relevant period

and upon information and belief his or her personal financial data was transmitted in the course of
business from Quest to Optum360 and RMCB.

4

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 5 of 13

29.

Defendant Retrieval-Masters Creditors Bureau, Inc., is a Florida corporation with a

principal place of business in Elmsford, New York.
30.

Defendant Optum360, LLC is a Delaware limited liability company with a principal

place of business in Eden Prairie, Minnesota, and upon information and belief, at least one member
of defendant is a citizen of New York State.
31.

Defendant Quest Diagnostics Incorporated in a Delaware corporation with a

principal place of business in Secaucus, New Jersey.
32.

During the class period, plaintiffs obtained services provided by defendant Quest for

which they provided their personal financial information related to medical or laboratory services,
and that information was transmitted to defendants Optum360 and RMCB.
33.

During the relevant period, and specifically, recently, named plaintiff experienced

unauthorized attempts to utilize his or her credit for purchase of consumer and durable goods, and
his or her credit report was subjected to hard and/or soft credit checks in connection with such
attempted purchases.
34.

Plaintiffs and class members would consider utilizing the services of defendant Quest

in the future if there were assurances it would safeguard their data by using industry standard best
practices.
35.

Plaintiffs and class members often do not have a choice to use the services of

defendant Quest because it has a virtual monopoly over medical and lab testing services in most
regions of the country, and other lab providers do not take their health insurance.
Class Allegations
36.

The classes will consist of all consumers in the following states: all, New

Hampshire, Connecticut, New York, Illinois, North Carolina, Ohio, Massachusetts, Vermont,

5

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 6 of 13

California, who obtained medical laboratory services from defendant Quest during the statutes of
limitation and whose information was transmitted to defendants RMCB and Optum.
37.

A class action is superior to other methods for fair and efficient adjudication.

38.

The class is so numerous that joinder of all members, even if permitted, is

impracticable, as there are likely tens of millions of members.
39.

Common questions of law or fact predominate and include whether plaintiffs’ and

class members’ personal financial data was compromised, causing them harm, and if defendants
took reasonable measures to prevent or mitigate the harm, and whether plaintiffs and class
members are entitled to damages.
40.

Plaintiff’s claims and the basis for relief are typical to other members because all

were subjected to the same representations.
41.

Plaintiff(s) is/are an adequate representative because his/her/their interests do not

conflict with other members.
42.

No individual inquiry is necessary since the focus is only on defendant’s practices

and the class is definable and ascertainable.
43.

Individual actions would risk inconsistent results, be repetitive and are impractical

to justify, as the claims are modest.
44.

Plaintiff(s) counsel is competent and experienced in complex class action litigation

and intends to adequately and fairly protect class members’ interests.
45.

Plaintiff(s) seeks class-wide injunctive relief because the practices continue and

plaintiffs do not have any alternatives to using defendant Quest’s lab services because there are no
other options which are geographically accessible to many plaintiffs and who accept their health
insurance.

6

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 7 of 13

Connecticut Unfair Trade Practices Act (“CUPTA”), Conn. Gen Stat § 42-110a, et.
seq., New York General Business Law (“GBL”) §§ 349 & 350, California Consumers
Legal Remedies Act, Civ. Code §§ 1750-1785 (“CLRA”)
and Consumer Protection Statutes of Other States and Territories

46.

Plaintiff re-alleges the paragraphs above.

47.

Plaintiffs and John and Jane Doe plaintiffs, representing 49 other states where they

reside and received and/or purchased the Services or Products, incorporate by reference all
preceding paragraphs and assert causes of action under the consumer protection statutes of all 50
states.
a. Alabama Deceptive Trade Practices Act, Ala. Code § 8-19-1, et. seq.;
b. Alaska Unfair Trade Practices and Consumer Protection Act, Ak. Code § 45.50.471, et.
seq.;
c. Arkansas Deceptive Trade Practices Act, Ark. Code § 4-88-101, et. seq.;
d. California Consumers Legal Remedies Act, Cal. Civ. Code §§ 1750 et seq. and Unfair
Competition Law, Cal. Bus. Prof. Code §§ 17200- 17210 et. seq.;
e. Colorado Consumer Protection Act, Colo Rev. Stat § 6-1-101, et. seq.;
f. Connecticut Unfair Trade Practices Act, Conn. Gen Stat § 42-110a, et. seq.;
g. Delaware Deceptive Trade Practices Act, 6 Del. Code § 2511, et. seq.;
h. District of Columbia Consumer Protection Procedures Act, D.C. Code §§ 28-3901, et. seq.;
i. Florida Deceptive and Unfair Trade Practices, Act Florida Statutes§ 501.201, et. seq.;
j. Georgia Fair Business Practices Act, §10-1-390 et. seq.;
k. Hawaii Unfair and Deceptive Practices Act, Hawaii Revised Statutes § 480 1, et. seq. and
Hawaii Uniform Deceptive Trade Practices Act, Hawaii Revised Statute § 481A-1, et. seq.;
l. Idaho Consumer Protection Act, Idaho Code § 48-601, et. seq.;
m. Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS § 505/1, et. seq.;
n. Kansas Consumer Protection Act, Kan. Stat. Ann §§ 50 626, et. seq.;
o. Kentucky Consumer Protection Act, Ky. Rev. Stat. Ann. §§ 367.110, et. seq., and the
Kentucky Unfair Trade Practices Act, Ky. Rev. Stat. Ann § 365.020, et. seq.;
p. Louisiana Unfair Trade Practices and Consumer Protection Law, La. Rev. Stat. Ann. §§
51:1401, et. seq.;
q. Maine Unfair Trade Practices Act, 5 Me. Rev. Stat. § 205A, et. seq., and Maine Uniform
Deceptive Trade Practices Act, Me. Rev. Stat. Ann. 10, § 1211, et. seq.;
r. Massachusetts Unfair and Deceptive Practices Act, Mass. Gen Laws ch. 93A;
s. Michigan Consumer Protection Act, §§ 445.901, et. seq.;
t. Minnesota Prevention of Consumer Fraud Act, Minn. Stat §§ 325F.68, et. seq.; and
Minnesota Uniform Deceptive Trade Practices Act, Minn Stat. § 325D.43, et. seq.;
u. Mississippi Consumer Protection Act, Miss. Code An. §§ 75-24-1, et. seq.;
v. Missouri Merchandising Practices Act, Mo. Rev. Stat. § 407.010, et. seq.;
7

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 8 of 13

w. Montana Unfair Trade Practices and Consumer Protection Act, Mont. Code § 30-14-101,
et. seq.;
x. Nebraska Consumer Protection Act, neb. Rev. Stat. § 59 1601 et. seq., and the Nebraska
Uniform Deceptive Trade Practices Act, Neb. Rev. Stat. § 87-301, et. seq.;
y. Nevada Trade Regulation and Practices Act, Nev. Rev. Stat. §§ 598.0903, et. seq.;
z. New Hampshire Consumer Protection Act, N.H. Rev. Stat. § 358-A:1, et. seq.;
aa. New Jersey Consumer Fraud Act, N.J. Stat. Ann. §§ 56:8 1, et. seq.;
bb. New Mexico Unfair Practices Act, N.M. Sta. Ann. §§ 57 12 1, et. seq.;
cc. New York General Business Law (“GBL”) §§ 349 & 350;
dd. North Dakota Consumer Fraud Act, N.D. Cent. Code §§ 51 15 01, et. seq.;
ee. Ohio Rev. Code Ann. §§ 1345.02 and 1345.03; Ohio Admin. Code §§ 109;
ff. Oklahoma Consumer Protection Act, Okla. Stat. 15 § 751, et. seq.;
gg. Oregon Unfair Trade Practices Act, Ore. Rev. Stat. § 646.608(e) & (g);
hh. Rhode Island Unfair Trade Practices and Consumer Protection Act, R.I. Gen. Laws § 613.1-1 et. seq.;
ii. South Carolina Unfair Trade Practices Act, S.C. Code Law § 39-5-10, et. seq.;
jj. South Dakota’s Deceptive Trade Practices and Consumer Protection Law, S.D. Codified
Laws §§ 37 24 1, et. seq.;
kk. Tennessee Consumer Protection Act, Tenn. Code Ann. § 47-18-101 et. seq.;
ll. Vermont Consumer Fraud Act, Vt. Stat. Ann. Tit. 9, § 2451, et. seq.;
mm. Washington Consumer Fraud Act, Wash. Rev. Code § 19.86/0101, et. seq.;
nn. West Virginia Consumer Credit and Protection Act, West Virginia Code § 46A-6-101, et.
seq.;
oo. Wisconsin Deceptive Trade Practices Act, Wis. Stat. §§ 100.18, et. seq.
48.

Named plaintiff asserts causes of action under New Hampshire Consumer Protection

Act, N.H. Rev. Stat. § 358-A:1, et. seq.;
49.

Jane Doe plaintiffs assert causes of action under the laws of the other 49 states,

including the New York General Business Law §§ 349-350 and California Consumers Legal
Remedies Act, Cal. Civ. Code §§ 1750-1785 (“CLRA”).
50.

Defendant’s acts, practices, representations and omissions related to their adherence

to data protection practices that purportedly would safeguard the information of plaintiff and class
members are not unique to the parties and have a broader impact on the public.
51.

Plaintiffs and class members were directed by their medical providers to receive lab

services and directed to use defendant Quest, with the assurances their private data would not be
disclosed to unauthorized persons and that best practices would be employed to prevent or mitigate

8

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 9 of 13

such disclosure.
52.

After mailing appropriate notice and demand Jane Doe California Plaintiff will have

mailed and/or have amended the complaint to include a request for damages. Cal. Civil Code §
1782(a), (d).
53.

The conduct alleged in this Complaint constitutes unfair methods of competition and

unfair and deceptive acts and practices for the purpose of the CLRA.
54.

Defendant violated the consumer protection laws of the states indicated.

55.

The representations and omissions were relied on by plaintiff and class members,

who paid more than they would have, causing damages.

Breach of Contract
56.

Plaintiff re-alleges the paragraphs above.

57.

Plaintiff and Class members entered into a contract with Defendants for the provision

of laboratory or other related medical and diagnostic services and were given assurances in the
form of defendant Quest’s code of conduct and terms of services that industry-standard, reasonable
and practical measures would be taken, at all steps – intake, testing, billing etc. – that their private
data would be protected.
58.

The terms of defendants’ privacy policy are part of the contract.

59.

Plaintiff and Class members performed substantially all required of them under their

contract with defendants, or they were excused from doing so.
60.

Defendants failed to perform its obligations under the contract, including by failing

to provide adequate privacy, security, and confidentiality safeguards for Plaintiff’s and Class
member’s information and documents.
61.

As a direct and proximate result of defendants breach of contract, Plaintiff and Class

9

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 10 of 13

members did not get what they expected – laboratory services which protected their sensitive
personal data, and instead received laboratory services that were less valuable than described to
them because the terms did not disclose defendants would fail to comply with safeguarding their
data.
62.

Plaintiff and Class members were damaged in an amount at least equal to the

difference in value between that which was promised and Defendants’ deficient performance.
63.

Also as a result of Defendants’ breach of contract, Plaintiff and Class members have

suffered actual damages resulting from the exposure of their personal information, and they remain
at risk of suffering additional damages.
64.

Accordingly, Plaintiff and Class members have been injured by Defendants’ breach

of contract and are entitled to damages and/or restitution in an amount to be proven at trial.
Negligence and Negligence Per Se
(all classes)
65.

Plaintiff incorporates by references all preceding paragraphs.

66.

Defendants violated NH Rev Stat § 359-C:20 and N.Y. Gen. Bus. Law § 899-aa by

failing to properly disclose the data breach.
67.

Class members are within the class of persons that the aforesaid laws were intended

to protect because they are residents of these states.
68.

The harm which occurred due to Defendants’ Data Breach is the type of harm that

these laws were intended to protect.
69.

Specifically, this is the harm of the unauthorized access or disclosure of personal

information due to a failure to maintain reasonable security procedures.
70.

Defendants had a duty of reasonable care to safeguard the privacy, confidentiality,

10

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 11 of 13

and security of Plaintiff’s and Class members’ personal information and documents and comply
with the terms of its own privacy policy.
71.

Defendants breached this duty of care by failing to adequately safeguard the private

and confidential personal information and records of plaintiff and class members.
72.

Defendants breached their duty of care FTC Act Section 5, the Consumers Legal

Remedies Act (CA) and the GLB Act.
73.

As a direct and proximate result of Defendants’ breach of their duty of care, Plaintiff

and the Class suffered injury.
Unjust Enrichment
74.

Plaintiff incorporates by references all preceding paragraphs.

75.

Defendants obtained benefits and monies because the Services or Products were not

as represented and expected, to the detriment and impoverishment of plaintiff and class members,
who seek restitution and disgorgement of inequitably obtained profits.
Jury Demand and Prayer for Relief
Plaintiff demands a jury trial on all issues.
WHEREFORE, plaintiff prays for judgment:
1. Declaring this a proper class action, certifying plaintiff(s) as representative and the
undersigned as counsel for the class;
2. Entering preliminary and permanent injunctive relief by directing defendants to correct
such practices to comply with the law;
3. Injunctive relief for members of the New Hampshire and New York Subclass pursuant to
their consumer protection law;
4. An award of disgorgement pursuant to California Business and Professions Code §§ 17203
and 17535 for Jane Doe California Plaintiff members of the California Subclass;
11

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 12 of 13

5. An order enjoining Defendant, pursuant to California Business and Professions Code §§
17203 and 17535, to remove and/or refrain from failing to provide adequate measures to
safeguard the personal information of plaintiff and class members;
6. Awarding monetary damages and interest, including treble and punitive damages, pursuant
to the common law and other statutory claims;
7. Awarding costs and expenses, including reasonable fees for plaintiff’s attorneys and
experts; and
8. Such other and further relief as the Court deems just and proper.
Dated: June 4, 2019
Respectfully submitted,
Sheehan & Associates, P.C.
/s/Spencer Sheehan
Spencer Sheehan (SS-8533)
505 Northern Blvd., Suite 311
Great Neck, NY 11021
(516) 303-0552
spencer@spencersheehan.com

12

 Case 7:19-cv-05216-VB Document 1 Filed 06/04/19 Page 13 of 13

7:19-cv-05216
United States District Court
Southern District of New York
Brian Lanouette, Jane Doe individually and on behalf of all others similarly situated

Plaintiffs

- against -

Retrieval-Masters Creditors Bureau, Inc., Optum360, LLC and Quest Diagnostics
Incorporated
Defendants

Complaint

Sheehan & Associates, P.C.
505 Northern Blvd., #311
Great Neck, NY 11021
Tel: (516) 303-0052
Fax: (516) 234-7800

Pursuant to 22 NYCRR 130-1.1, the undersigned, an attorney admitted to practice in the courts of
New York State, certifies that, upon information, and belief, formed after an inquiry reasonable
under the circumstances, the contentions contained in the annexed documents are not frivolous.
Dated: June 4, 2019
/s/ Spencer Sheehan
Spencer Sheehan