HIPAA compliance, anyone?
For Quest Labs, AMCA would (in theory) have had to have signed a Business Associate Agreement, promising to be in full compliance with the US's HIPAA law, which requires, among other things, that all personally-identifiable health information (PHI) be stored and transmitted "securely". The law is not prescriptive, in terms of defining specific techniques for doing so, but does require both physical and electronic security.
While it does not require state-of-the-art security (at crushing expense), anyone reading the regulations would expect that full encryption of data is expected, as well as normal industry best-practices for firewalls, anti-virus protection, two-factor logins, patch management, etc. After all, you're protecting other people's data, not just your corporation's data. The law creates a legal duty to protect that data.
I wonder of AMCA knew that, signed any such agreement, had a clue what HIPAA is, or was HIPAA compliant? Violations of HIPAA can cause you to lose your accreditation, lose your your license, as well as huge fines (Some number of $ per case; multiply by 12 million cases).
This works back to Quest Labs, too, as they handed over the data that included the PHI. Quest is responsible for ensuring that they choose a vendor that is HIPAA-compliant, signing an appropriate Business Associate Agreement, and monitoring their compliance.