- Malicious actors may have gained access to financial, medical and other personal data on 11.9 million patients, such as their Social Security numbers, between August 1, 2018, and March 30, 2019, Quest Diagnostics disclosed Monday.
- The company said one of its billing collections vendors, American Medical Collection Agency (AMCA), alerted Quest and its revenue cycle management provider, Optum360, on May 14 there was "potential unauthorized activity" on its web payment page.
- Laboratory test results were not shared with AMCA and were not exposed, according to Quest. The company said in response to the potential data breach it has suspended sending collection requests to AMCA.
While laboratory test results remain untouched by the breach, other patient medical history is vulnerable, making Quest's data breach personal.
Personally identifiable information including names and financial records are valuable on the black market, but there's an additional layer of human violation when bad actors have access to intimate details of an individual.
Last year Marriott's hotel guest data breach drew criticism because of the personal information attached to an elite customer base and their accounts. Personal preferences, habits and travel patterns were all compromised, allowing for bad actors to potentially craft a personal profile of a Marriott customer.
A detailed profile of an individual could give attackers a template for creating secondary attacks, using tactics like personalized phishing schemes.
Unlike Marriott, the attacker's behind Quest's breach took advantage of a third party provider, AMCA, to access the data housed by the lab company. The severity of the breach hinges on the results of further investigation.
The clinical lab said it has not yet received "detailed or complete information from AMCA about the incident," or verify its accuracy, and continues to work with Optum and security experts to ascertain the potential impact of the potential data breach.
No matter where the access point is, reducing the likelihood of a breach comes down to security basics, like controlling user access with multifactor authentication and encrypting data. Scrambling data through encryption prevents bad actors from monetizing stolen information. "Only through encryption can you remove the ROI for cybercriminals to want to steal the data in the first place," said Jason Hart, cybersecurity evangelist at Thales, in an emailed statement to CIO Dive.
Quest is far from the only medical entity to be hit by hackers. Last July, Quest rival LabCorp was the target of a cyberattack that resulted in the company pulling parts of its IT system offline. The ransomware attack cost LabCorp $24 million to address.
Quest has already notified affected health plans, and the company is working to provide information to regulators to comply with state and federal laws.
Clarification: Quest Diagnostics systems were not compromised by the data security incident. AMCA, a billing collection services firm, experienced the data security incident.