Last week, we wrote that Quest Diagnostics reported in a security filing that a collection agency performing collections for the company had suffered an intrusion that exposed almost 12 million individuals’ personal and financial information [view related post]. Another lab company reported days later that it was notified that the information of 8 million of its patients had been compromised as well; that total is now almost 20 million.

What we have been able to learn is that the records compromised were only those in collections, not all lab records. The Connecticut and Illinois Attorneys General are both investigating the facts.

Many self-funded health plans and wellness plans have asked us what to do if they use these two lab companies. Here are some thoughts.

First, we have been told that the self-funded and wellness program products were not affected. If confirmed, this would be good news. This means that normal labs and drug testing that employers perform or employees have taken should not be affected. But any labs that have not been paid, or are in collections, might be affected. Again, it appears that only information of collection cases is involved.

Nonetheless, there is a lot of confusion about the personal information of employees that may have been impacted, and about how to communicate with employees, who are understandably nervous and may have questions for employers and wellness plans.

The lab companies have not yet been told which patients’ personal information was compromised, so it is hard to evaluate which employees’ information, if any, was involved. The lab companies are trying to find that out from the collection agency, but this has not yet been accomplished.

Employees are asking questions, and most companies want to assist their employees, so they are trying to figure out next steps. Employees generally appreciate transparency about what their employer has been told by the lab company. Let them know in an email or other correspondence that you are trying to find out who was impacted, if anyone. If the lab company confirms that the only people who were impacted are those whose bills are in collection, and that affected employees are required to be notified under state or federal law, pass that information along, so they know they will be notified if their information was compromised.

Let them know that you are working on it, that you are in touch with the lab company to find out who was impacted, and that you will assist, if possible, your employees/members in the event their information was compromised.

Let your employees know that you will assist them and answer any questions you can should you learn relevant information. But until you find out what information was actually involved, other than offering support, there isn’t a lot employers can do to assist.