Quest Diagnostics is a US-based company that provides medical testing services, and announced that it used third-party billing collection companies that were hit by a severe data breach. In fact, Medical Identity Theft affected about 11.9 million Quest customers.
The compromised information could include personal data of the patients, including Social Security numbers, as well as medical and financial information. However, laboratory test results aren’t included in the breach.
The AMCA (American Medical Collection Agency) is a billing collection service provider and informed Quest Diagnostics that it had an unauthorized user who gained access to the AMCA system, which contained personal information that AMCA got from a variety of entities, including Quest. AMCA provides its collections services to Optum360, which is a Quest contractor. Both Optum360 and Quest are working with experts to investigate the issue.
The company also noted that it still doesn’t have much information about the data security incident at AMCA, and it doesn’t know for sure what data was compromised. However, the company no longer sends its collection requests to AMCA and won’t do so until the issue is resolved.
Quest filed an SEC filing, which revealed that the attackers gained access to the AMCA system between August 2018 and March 2019.
According to one data breach website, Gemini Advisory analysts first discovered the breach. The analysts noticed a CNP (Card Not Present) database, which had posted for sale on the dark web’s market. It figured out the data could have been stolen through the AMCA online portal. Gemini Advisory attempted to contact AMCA but received no response, so it contacted the US federal law enforcement agency.
A spokesperson for AMCA says that, upon receiving the information that there was a possible data breach from a compliance company that worked with other credit card companies, it conducted an internal investigation and took down its payments page online. The company also said it was investigating the breach with the help of an unnamed third-party forensics company.
The Quest breach targeted primarily financial data with personal information (SSNs). That kind of information is significantly more lucrative than health information, which isn’t really marketable by criminals, at least not yet. The financial information disclosed was comprehensive and included bank accounts and credit card numbers. Therefore, victims could get their identities stolen and have financial transactions completed in their name.
Users of the website or the company need to get a credit freeze and monitor their bank accounts and credit cards for any unusual activity and might want to freeze their credit reports so that no new credit lines can be taken out in their name.
Action needs to be taken now to freeze your information with the credit bureau and warn the credit bureaus that your financial information might have been compromised. Along with such, financial institutions usually have programs available to take corrective action, which can prevent your credit card or account from being used without permission if your account has been compromised.
The issue is that insurance and healthcare information doesn’t have such a centralized process, which makes it extremely tough to prevent the use of this information from someone who doesn’t have permission to use it.
The Cyber security evangelist of Thales, Jason Hart, chimed in with the fact that multi-factor encryption and authentication of the collected data might have saved the companies and victims from having problems.
The VP of innovation and global strategy at ForgeRock, Ben Goodman, noted that this is the second known breach for Quest in just three short years. As a public company, it could lead to a variety of serious repercussions with respect to brand reputation, shareholder trust, and stock prices. He also said that the exposed data might result in litigation. When First American Financial Corporation was breached, it took just a few days for the company to get hit with a class-action lawsuit when it exposed 885 million documents full of sensitive information just last week.
The CISO and Senior Director for Shared Assessments, Tom Garrubba, wants to see just how quickly the Office of Civil Rights (an overseer of HIPAA compliance), rushes in to get information about the breach and to determine if any negligence was there and if Quest is to blame (partially or fully).
Through the HIPAA Omnibus Rule, business associates must handle any data with the care provided to covered entities (outsourcers). Those business associates have to provide due diligence to the covered entity.
Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.