Quest Diagnostics has agreed to a $5 million settlement following allegations of illegal disposal of waste and patient information

By Stephanie Srakocic | Fact-checked by Davi Sherman
Published February 21, 2024

Key Takeaways

  •  Investigators found hazardous and unobscured waste materials in dumpsters and other waste receptacles at Quest Diagnostics facilities across California. 

  • Quest Diagnostics recently reached a settlement with the San Joaquin County District Attorney’s Office. As part of the agreement, they will pay $3,999,500 to 10 California counties.

Quest Diagnostics is one of the largest diagnostic service providers in the US. The company has nearly 50,000 employees and generated just over $9.2 billion in revenue in 2023. Last week, the company reached a settlement with the San Joaquin County District Attorney’s Office. The terms of the settlement require Quest to pay a total of $3,999,500 to 10 California counties and another $300,000 for environmental projects. The remaining $700,000 will go toward legal fees.[][] 

The settlement comes after claims that Quest illegally dumped hazardous waste and protected patient information at its facilities across California. More than 30 inspections of Quest Labs and testing facilities were conducted. Inspectors searched dumpsters and other waste disposal units and found bleach, electronic waste, batteries, unredacted medical information, medical waste such as specimen containers for blood and urine, and hazardous waste.[]

These unlawful disposals allegedly violate California’s Hazardous Waste Control Law, Medical Waste Management Act, Unfair Competition Law, and multiple civil laws prohibiting the unauthorized disclosure of personal health information. California’s District Attorney was joined by the district attorneys of Alameda, Los Angeles, Monterey, Orange, Sacramento, San Bernardino, San Joaquin, San Mateo, Ventura, and Yolo Counties in the settlement.[] 

The settlement

Under the terms of the settlement, Quest denies all guilt. However, it has agreed to take some corrective steps, including hiring an independent environmental auditor. The auditor will help bring Quest facilities into compliance with California law. The auditor will review waste disposal at Quest facilities and modify its operating and training procedures to improve its handling, storage, and disposal of hazardous waste, medical waste, and personal health information. The new procedures and training programs will be implemented at over 600 Quest locations in California.[] 

Discussing the settlement, California Attorney General Rob Botna said:

Quest Diagnostics’ illegal disposal of hazardous and medical waste and patient information put families and communities at risk and endangered our environment…Let today’s settlement send a clear message that my office will hold corporations, including medical services providers, accountable for violations of state environmental and privacy laws. I appreciate the partnership of the district attorneys’ offices across our state that led to this critical settlement.[]

After the settlement was announced, Quest spokesman Denny Moynihan stated, 

Quest takes patient privacy and the protection of the environment very seriously and has made significant investments to implement industry best practices to ensure hazardous waste, medical waste, and confidential patient information are disposed of properly. These include investing in technologies for treatment of biological waste, secured destruction of patient information, programs to maximize recycling efforts and minimize waste-to-landfill disposal, waste-to-energy recovery of non-recyclable wastes, and enhanced waste audit and inspection measures to ensure continued compliance with applicable laws.[]

Disposal of patient information

The disposal of records containing patient information is specifically covered under HIPAA. HIPAA doesn’t regulate the exact steps that healthcare practices take to dispose of patient records but does state that throwing out records in dumpsters, recycling bins, and other receptacles accessible by the public is a violation. The HIPAA Journal reports that these types of breaches are relatively rare. Only a handful of such patient privacy violations happen each year.[][]

However, when this type of violation occurs, it can be significant. For instance, 2020 saw the highest number of improper disposal incidents in over a decade, with 16 violations. This seems like a low number of incidents, but it’s still cause for concern. These 16 incidents exposed nearly 600,00 patient records.[] 

Additionally, Quest isn’t the only nationally known healthcare provider investigated for its disposal of patient records and other waste material. In 2023, Kaiser Permanente faced similar charges from district attorneys’ offices. The healthcare company will now be required to pay the state up to $49 million.[]  

Cybersecurity risks to patient data

Patient data breaches can also occur when hospitals and healthcare systems are hacked or otherwise compromised. The systems that store data for healthcare facilities hold a wealth of personal information and have been attractive targets for hackers in recent years. This has often led to the exposure of sensitive information and lawsuits against the provider. Large national healthcare companies such as Banner Health, Anthem, and Fresenius Medical Care all experienced data breaches that affected millions of patients and resulted in heavy penalties.[]

Chad Anguilm, vice president of growth at Medical Advantage, part of TDC Group (the nation's largest physician-owned medical malpractice insurer), says that healthcare practices have been slower to respond to and recover from data breaches and hacking than other businesses. Additionally, the increasing use of AI technology will likely exacerbate the risk of cyberattacks. 

“Healthcare providers must prioritize cybersecurity by implementing multi-factor authentication, encryption, and regular security audits,” says Anguilm. “With sensitive patient data being processed and stored by these systems, it is imperative to maintain strict security measures to prevent potential data breaches.”

Share with emailShare to FacebookShare to LinkedInShare to Twitter