Almost 12 Million Patients Give Blood & Financial Data in Latest Breach

Quest Diagnostics, a major blood testing company, warned that almost 12 million of its customers may have had personal, financial and medical information breached due to a collections vendor issue.

In a securities regulator filing, Secaucus, N.J.-based Quest said it received notification that from Aug. 1, 2018 to March 30, 2019, someone had unauthorized access to the systems of third-part vendor American Medical Collection System. “(The) information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security numbers),” Quest said in the filing.

According to published reports, the medical testing company said it learned the affected AMCA system stored information on about 11.9 million of Quest Diagnostics’ patients but had yet to received detailed or complete information from AMCA about the breach. This is the second breach affecting Quest customers in three years. In 2016, the company said 34,000 patients had data stolen by hackers.

Cybersecurity experts reacted to this latest major incident:

Colin Bastable, CEO of Lucy Security, said, “Outsourcing billing to third party vendors is a great way to extract efficiencies by reducing core costs, but it exposes the business and its customers to uncontrollable security risks. The fragmented healthcare industry, like the fragmented home finance and buying industry, is vulnerable because there are so many moving parts, bad actors have multiple points of entry to exploit inadequate security.”

Pankaj Parekh, chief product and strategy officer at SecurityFirst, remarked, “It’s not enough to protect your data – you have to understand that data shared with partners and vendors is also at risk.” He added, enterprises like Quest Diagnostics must carefully assess the security practices of their vendors to make sure of customer data security.

“This was a breach through a vendor in their supply chain and shows that however good your security strategy is, it can only ever be as good as the weakest link in the chain,” Laurence Pitt, security strategy director at Juniper Networks, emphasized. Pitt added, “You cannot outsource security responsibility!”

Cathy Allen, CEO, Shared Assessments, pointed out “This is alarming as it shows adversaries are attacking healthcare, insurance and financial information in one hack. Even though the test results are not accessible, just the types of tests proscribed might indicate a type of illness that you would not want.” Allen also said, “Thieves often steal and resell insurance date on the internet, having other information makes the data more valuable and the price higher.”

Tom Garrubba, senior director and CISO, Shared Assessments, noted this appears to be quite a motherload of data as this breach seems to touch on all three critical components of customer data: personally identifying, credit card and health information. “I’m curious to see how swiftly the Office for Civil Rights – which oversees HIPAA compliance – moves in to review the details of the breach. The OCR has historically been under a lot of pressure to levy fines of healthcare breaches.”

There is a dastardlier element to a medical breach. Bob Jones, senior adviser, The Santa Fe Group, said, “A corrosive result of medical history identity theft that can result from this kind of breach is the commingling of the imposter’s information with the victim’s. What happens, for example, if the victim is in need of emergency transfusion and the imposter’s blood type is noted on his EHR (electronic health records)?”

According to Byron Rashed, vice president of marketing at Centripetal: “E-commerce, supply chains and partner networks can greatly affect the network and data security of organizations doing business with one another. It’s imperative that companies work with their business partners to ensure they are using best cybersecurity practices to mitigate risk all around.”

Michael Magrath, director, global regulations and standards, OneSpan suggested, the breach supports Ponemon Institute’s “Data Risk in the Third-Party Ecosystem” study, which found 59% of companies surveyed experienced a data breach caused by their third-party vendors. “This breach will undoubted bring a hefty fine from (the Health and Human Services Department) Office of Civil Rights to ACMA. The New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies could serve as the model for third parties authentication practices.”

Robert Prigge, president of Jumio, said, “Over the last decade, there have been over 2,550 data breaches impacting more than 175 million records. The equivalent of affecting more than 50% of the U.S. population.” Prigge added medical records command a high value on the dark web, up to 10 times more than the average credit card breach, because there is more personal information in health records than any other electronic database.

“Credit card numbers, medical information, and personal data were stolen from 11.9 million people in this breach lasting almost an entire year. It is especially important for companies with sensitive information, such as medical records, to be proactively protecting each endpoint,” Kevin Gosschalk, CEO of Arkose Labs, said.

Ben Goodman, vice president of global strategy and innovation at ForgeRock, said, “Malicious users can now open credit cards or take out loans, intercept tax refunds, cover medical treatment, open utility accounts and even take flights with victims’ airline miles. As a publicly traded company, that can lead to serious repercussions with shareholder trust, stock price and brand reputation.”