Quest Diagnostics today disclosed that roughly 11.9 million patients who sought medical testing through its clinical labs may be affected by the breach of a third-party bill collection agency.
The compromised records include personally identifying information such as financial data and Social Security numbers, as well as medical information, but not lab test results.
In a company press release, Quest says it was first informed of the security incident on May 14 by American Medical Collection Agency (AMCA), which provides its services to Quest contractor Optum360. The lab operator says it received updated information, including the number of affected patients accounts, on May 31 of this year.
DataBreaches.net first broke news of the breach back on May 10, after analysts from Gemini Advisory contacted the website about a database containing SSNs, dates of birth and physical addresses that they found up for sale on the dark web. Through their investigative work, Gemini's analysts were able to identify several affected banking institutions that offer medical spending or savings accounts, and eventually linked the breach to AMCA. Gemini said they attempted to notify AMCA, but received no response.
Originally, DataBreaches.net reported via Gemini that the AMCA breach impacted more than 200,000 individuals who had used the agency's online payment portal between September 2018 and early March 2019. Now it appears the scope of the incident is much vaster.
Quest says that AMCA has still not received "detailed or complete information" about the incident, "including which information of which individuals may have been affected." Moreover, "Quest has no been able to verify the accuracy of the information received from AMCA."
Quest says that in response to the situation, it has suspended sending collection requests to AMCA.
"We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system," said a statement that AMCA provided to SC Media. "Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security. We have also advised law enforcement of this incident."
"Outsourcing billing to third-party vendors is a great way to extract efficiencies by reducing core costs, but it exposes the business and its customers to uncontrollable security risks," said Colin Bastable, CEO of Lucy Security, in emailed comments. "The fragmented health care industry, like the fragmented home finance and buying industry, is vulnerable because there are so many moving parts, so many areas where bad actors have multiple points of entry to exploit inadequate security."
Pankaj Parekh, chief product and strategy officer at SecurityFirst, also acknowledged the security challenges of relying on third-party service providers. "It's not enough to protect your data – you have to understand that data shared with partners and vendors is also at risk," said Parekh. "Enterprises like Quest Diagnostics must carefully assess the security practices of their vendors to make sure that customer data is secured. This is a lot more work for already stretched security and IT teams."