In light of the recent Quest Diagnostics breach, which compromised the credit card numbers, medical information and personal data of 11.9 million patients, Industry leaders commented below as part of our experts comments series.
“The Quest Diagnostics breach is a timely reminder that when a company is working with a vendor, there is an added access point that needs to be protected. As hackers continue to evolve, they will target the endpoints that companies might not actively think of protecting. Credit card numbers, medical information, and personal data were stolen from 11.9 million people in this breach lasting almost an entire year. It is especially important for companies with sensitive information, such as medical records, to be proactively protecting each endpoint.”
“Today’s breach by Quest Diagnostics serves as a watershed event and a wake-up call to the health care industry only now recovering from the very public ransomware attacks. Sadly, health care data breaches are ubiquitous today — and are trending up.
Over the last decade, there have been over 2,550 data breaches impacting more than 175 million records. That’s the equivalent of affecting more than 50 percent of the U.S. population. What is not commonly understood is that medical records command a high value on the dark web – these records can be listed up to 10 times more than the average credit card breach because there’s more personal information in health records than any other electronic database.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
The Quest Diagnostics breach is another example of the growing trend of third party breaches and supports Ponemon Institute’s 2018 Data Risk in the Third-Party Ecosystem” study. The study found that 59% of companies surveyed had experienced a data breach caused by their vendors or third parties. This breach will undoubted bring a hefty fine from HHS’s Office of Civil Rights to ACMA as a business associate of Quest Diagnostics and affected customers can look forward to what has been the customary free credit monitoring service letter in their mailbox.
However, what is necessary is for HHS to revisit the HIPAA Security and Privacy rule tighten the security controls for third parties. The New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) could serve as the model with strong requirements for third parties including requirements pertaining access controls, including multi-factor authentication to protect data.
This appears to be quite a motherload of data as this breach seems to touch on all three critical components of customer data: personally identifiable information, credit card data and health information. I’m curious to see how swiftly the Office of Civil Rights – who oversees HIPAA compliance – moves in to review the details of the breach with this particular business associate (HIPAA-speak for third party vendors) who was performing the scope of work, and to see what negligence (if any) is on the hands of Quest. Business associates are by law (HIPAA Omnibus Rule) to handle data with the same care as covered entities (HIPAA-speak for outsourcers) and these BA’s are to undergo proper due diligence from the covered entity. I’m also curious as to the size of the fines to both entities as the OCR has historically been under a lot of pressure to levy fines of healthcare breaches.
This is alarming as it shows adversaries are attacking healthcare, insurance and financial information in one hack. Even though the test results are not accessible, just the types of tests proscribed might indicate a type of illness that you would not want
employers or insurance companies to have. Thieves often steal and resell insurance date on the internet….having other information makes the data more valuable and the price higher.
Another vendor breach results in millions (14.1M at first count) of records accessed. Because this time it was a billing vendor for Quest Diagnosis (a healthcare provider), not only were credit card and bank information accessed, but healthcare records as well.
This breach demonstrates the value of attacking healthcare vendors. Not only was patient healthcare and insurance information stolen, but financial information as well. Being able to obtain both sets of personal information significantly raises its value. In addition to Quest, it is reasonable to assume that American Medical Collection Agency has other customers whose customer information was accessed as well. So we truly do not yet know the full extent of the incident.
The troubling aspect of breached healthcare information is that there is no mechanism in place to prevent its mis-use. Action can be taken to freeze information at the credit bureaus and indicate that financial information has been compromised. In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised. No such centralized process exists for healthcare or insurance information, making it extremely difficult to prevent the unauthorized use of this information.
Which certainly increases the need for all healthcare related companies to effectively assess their vendors.
A corrosive result of medical history identity theft that can result from this kind of breach is the commingling of the the imposter’s information with the victim’s. What happens, for example, if the victim is in need of emergency transfusion & the imposter’s blood type is noted on his EHR?
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.