Quest Diagnostics Data Left Exposed Impacting Millions

Most people are familiar with the old adage that the chain is no stronger than its weakest link. Nowhere is that truer than in the hyperconnected world of healthcare where the need for communication across multiple systems is not just a nice-to-have – but a necessity.

Quest Diagnostics is dealing with the fallout from another data breach that resulted from “malicious activity” that occurred on payment pages of third-party partner American Medical Collection Agency (AMCA). Between August 2018 and June 2019, an uninvited hacker-guest crashed AMCA’s payment page party and helped themselves to social security numbers, credit card numbers, medical numbers and other related information. The security incident affected 11.9 million patients

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

As Quest’s second serious security incident in three years, concerns are being raised about the capacity of healthcare organizations to safeguard some of people’s most sensitive information. In the first breach, hackers breached the gates of their “MyQuest” portal and managed to grab data on 34,000 patient’s names, dates of birth, lab results and phone numbers.

Many times, health care systems are connecting with smaller businesses, such as physician practices, lab services and home care agencies – and not all of these stakeholders can provide the same level of security as their larger, better-funded counterparts. At a time that many health organizations are having to justify their basic budgets, hackers have unprecedented access to new tools to wage their cyber-war.

David Finn is the executive vice president of strategic innovation at CynergisTek. He shared his thoughts on some of the inherent risks associated with doing business in today’s digital world “We have recognized for over a year now, in fact, starting with the Target breach in 2013, that third parties are one of the biggest threats to any organization,” Finn said.

A more cohesive over-arching strategy might be the answer to this industry problem, however, but may be difficult to accomplish given how fragmented healthcare practice can be. Even with recent trends towards more integration – much work still needs to be done. The solution to cyberattacks can no longer belong to just one department, organization, or sector.

Collaborations at the industry level can go a long way towards raising awareness of risk, educating interested stakeholders, establishing minimum standards for securing data and moving healthcare towards a more cohesive strategy that protects both providers and their patients.

“It is critical that healthcare providers understand the serious personal risk associated with a breach of patient information,” Finn said, speaking about the importance of awareness and education.

“They must leverage security strategies and tools that respect patient privacy and prescribe real-time, contextual and continuous security that detects unusual behavior and prompts further action, such as identity verification, to stop – or at least slow – malicious actors,” he added.

Quest’s breach highlights the complexity of the problem and the need for a different approach. Josh Mayfield, director of security strategy at Absolute, a security tech vendor, says the industry needs to think bigger.

“It’s not just that vendor risk needs to level-up, but we must also broaden our imaginations,” Mayfield observed. “Most organizations have risk profiles and commitments with their vendors, especially those handling PHI as a third party. Yet when you multiply the number of connections, data flows, EDIs and other exchanges, there is bound to be something neglected in the Gordion knot.”