A Brooklyn marketing office was inundated for months by hundreds of private medical documents meant for Quest Diagnostics, but couldn’t get anyone at the clinical laboratory services company to take action until she called NBC 4 New York's I-Team.
Gabby Klotzman started working for APS Marketing Group in Flatbush in April and almost immediately noticed faxes meant for Quest Diagnostic coming into her office, she says.
The faxes were all medical papers, with sensitive information, including name, date of birth, phone numbers, and sometimes social security numbers for patients. They almost always included the type of the test that was being ordered for the individuals and were faxed from many different medical offices in the New York metropolitan area.
“I know if it was my information being shared, I would want someone to tell me," Klotzman said.
Klotzman called Quest Diagnostics. She said the company told her they were handling the situation and promised her they would contact the clients.
But the faxes kept coming. Klotzman noticed that Quest's fax number began with area code 785 while her company fax number began with a 718. She contacted the Department of Health and Human Services, which oversees HIPAA, a collection of strict medical privacy laws.
Months went by and she continued to receive sensitive medical data she did not want. That's when she reached out to the I-Team.
Hundreds of patients had medical documents with their information sent to the marketing group in error. The I-Team showed personal records to several of them.
Doralis Garcia was stunned to see her name, date of birth, age, phone number and type of testing she had undergone at a medical office in the Bronx.
"It is unbelievable and upsetting to know that you have my information,” said Garcia.
Jason Price was equally shocked when the I-Team showed him a similar document bearing his name.
“This is definitely a violation of privacy," Price said. "To give out someone else's medical records ... you don't know what people can do with this."
Pam Dixon, a medical privacy expert, said it's against the law to send medical documents to a business.
Klotzman followed up with the Department Health and Human Services about her complaint after several months of continuously getting the medical records. HHS sent her a letter in response, saying that the case was closed and that they would resolve the matter by providing "technical assistance to Quest Diagnostics."
When the I-Team contacted the medical office in the Bronx that sent Garcia and Price’s information in error to the Brooklyn firm, the office said 44 records were sent to the wrong party due to "human error when the area code was entered incorrectly."
The medical office was never notified by Quest Diagnostics or the federal government that something had gone wrong.
A spokesman for Quest Diagnostics says it was not aware that the breach involved so many medical documents from so many medical offices at the time Klotzman first contacted the company.
Once the I-Team got involved, Quest decided to create a new 718 fax number to avoid future confusion with the medical offices in the metropolitan area.
Meanwhile, the I-Team has learned a class action lawsuit over the data breach was filed this week against Quest Diagnostics by the law firm Newman Ferrara LLP.
Quest Diagnostics said it was aware of the lawsuit, but had no comment.
The Department of Health and Human Services declined to comment about the letter it sent Klotzman or what they did to close their investigation.