Nearly 12 million Quest Diagnostics patients affected by data breach

Quest Diagnostics, a US-based company that offers medical testing services, has announced that a third-party billing collections company they use has been hit by a data breach, affecting 11.9 million of Quest’s customers.

Quest Diagnostics data breach

The potentially compromised information includes the patients’ personal information (including Social Security number), financial and medical information, but not laboratory test results.

What happened?

“American Medical Collection Agency (AMCA), a billing collections service provider, has informed Quest Diagnostics that an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest. AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter,” Quest Diagnostics shared.

They also noted that they still don’t have detailed information about the AMCA data security incident and they don’t know for sure which data was compromised, but that they have suspended sending collection requests to AMCA for the moment.

The SEC filing filed by Quest reveals that the attackers had access to the AMCA’s system between August 1, 2018 and March 30, 2019.

According to DataBreaches.net, the credit for discovering the breach goes to Gemini Advisory analysts, who spotted a Card Not Present (CNP) database that had been posted for sale in a dark web market and figured out that the data must have been stolen via AMCA’s online portal.

They attempted to notify AMCA and, having received no response, they contacted US federal law enforcement.

An AMCA spokesperson said that upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, they conducted an internal review and took down their web payments page. They also say that they are investigating the security breach with the help of a third-party forensics firm.

Comments from the infosec industry

“The Quest breach targeted mostly financial data, and personal information such as SSNs. This kind of information is much more lucrative than personal health information, that, at the moment, is not readily marketable by criminals,” commented Dr. Giovanni Vigna, co-founder and CTO of Lastline.

“The financial information that was disclosed seems to be very comprehensive (credit card number, bank accounts, etc), and victims could have their identity stolen and financial transactions made in their name. Users should monitor their credit cards and bank accounts for unusual activity, and, in addition, freeze their credit reports.”

Brad Keller, Program Director, Shared Assessments, pointed out that, in addition to Quest, it is reasonable to assume that AMCA has other customers whose customer information was accessed as well.

“So we truly do not yet know the full extent of the incident,” he added. Also, he noted that the troubling aspect of breached healthcare information is that there is no mechanism in place to prevent its mis-use.

“Action can be taken to freeze information at the credit bureaus and indicate that financial information has been compromised. In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised. No such centralized process exists for healthcare or insurance information, making it extremely difficult to prevent the unauthorized use of this information.”

Jason Hart, cybersecurity evangelist at Thales, pointed out that multi-factor authentication and encryption of the collected data could have saved the victims and the companies from problems.

“This is the second breach that Quest has suffered in three years, and as a publicly traded company, that can lead to serious repercussions with shareholder trust, stock price and brand reputation,” noted Ben Goodman, the VP of global strategy and innovation at ForgeRock.

“The data exposed can also result in litigation. In fact, it only took a few days for First American Financial Corporation to be hit with a class action lawsuit after its exposure of 885 million sensitive documents last week.”

Tom Garrubba, Senior Director and CISO, Shared Assessments, is curious to see how swiftly the Office of Civil Rights – who oversees HIPAA compliance – moves in to review the details of the breach and to see what negligence (if any) is on the hands of Quest.

“Business associates are by law (HIPAA Omnibus Rule) required to handle data with the same care as covered entities (HIPAA-speak for outsourcers) and these BA’s are to undergo proper due diligence from the covered entity. I’m also curious as to the size of the fines to both entities as the OCR has historically been under a lot of pressure to levy fines of healthcare breaches,” he added.

Michael Magrath, Director, Global Regulations & Standards, OneSpan, noted that the US Department of Health and Human Services should revisit the HIPAA Security and Privacy rule tighten the security controls for third parties.

“The New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) could serve as the model with strong requirements for third parties including requirements pertaining access controls, including multi-factor authentication to protect data,” he opined.