Quest Diagnostics Breach – What the Experts are Saying

As you are likely aware by now, Quest Diagnostics – one of the biggest blood testing providers in the country – warned Monday that nearly 12 million of its customers may have had personal, financial, and medical information breached due to an issue with one of its vendors.

This kind of news is becoming such a familiar story that many believe the real danger lies in a growing sense of apathy regarding such events. A feeling of helplessness may lead the public to simply tune out, cross their fingers, and hope for the best.

Salvation from this type of attack will, undoubtedly, come from dedicated security professionals that have built their careers on defeating our evermore pervasive cybersecurity adversaries.

Below are comments from some of these dedicated security experts.

Kevin Gosschalk, CEO, Arkose Labs

“The Quest Diagnostics breach is a timely reminder that when a company is working with a vendor, there is an added access point that needs to be protected. As hackers continue to evolve, they will target the endpoints that companies might not actively think of protecting. Credit card numbers, medical information, and personal data were stolen from 11.9 million people in this breach lasting almost an entire year. It is especially important for companies with sensitive information, such as medical records, to be proactively protecting each endpoint.”

Robert Prigge, President, Jumio

“Today’s breach by Quest Diagnostics serves as a watershed event and a wake-up call to the health care industry only now recovering from the very public ransomware attacks. Sadly, health care data breaches are ubiquitous today — and are trending up.

Over the last decade, there have been over 2,550 data breaches impacting more than 175 million records. That’s the equivalent of affecting more than 50 percent of the U.S. population. What is not commonly understood is that medical records command a high value on the dark web – these records can be listed up to 10 times more than the average credit card breach because there’s more personal information in health records than any other electronic database.”

Michael Magrath, Director, Global Regulations & Standards, OneSpan

“The Quest Diagnostics breach is another example of the growing trend of third-party breaches and supports Ponemon Institute’s 2018 Data Risk in the Third-Party Ecosystem” study.  The study found that 59% of companies surveyed had experienced a data breach caused by their vendors or third parties. This breach will undoubtedly bring a hefty fine from HHS’s Office of Civil Rights to ACMA as a business associate of Quest Diagnostics and affected customers can look forward to what has been the customary free credit monitoring service letter in their mailbox. However, what is necessary is for HHS to revisit the HIPAA Security and Privacy rule tighten the security controls for third parties.  The New York Department of Financial Services’  Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) could serve as the model with strong requirements for third parties including requirements pertaining access controls, including multi-factor authentication to protect data.”

Tom Garrubba, Senior Director and CISO, Shared Assessments

“This appears to be quite a motherload of data as this breach seems to touch on all three critical components of customer data: personally identifiable information, credit card data, and health information. I’m curious to see how swiftly the Office of Civil Rights – who oversees HIPAA compliance – moves in to review the details of the breach with this particular business associate (HIPAA-speak for third-party vendors) who was performing the scope of work, and to see what negligence (if any) is on the hands of Quest. Business associates are by law (HIPAA Omnibus Rule) to handle data with the same care as covered entities (HIPAA-speak for outsourcers) and these BA’s are to undergo proper due diligence from the covered entity. I’m also curious as to the size of the fines to both entities as the OCR has historically been under a lot of pressure to levy fines of healthcare breaches.”

According to Byron Rashed, VP of Marketing at Centripetal:

“eCommerce, supply chains and partner networks can greatly affect the network and data security of organizations doing business with one another.

Today, it’s imperative that companies work with their business partners to ensure they are using the best cybersecurity practices to mitigate risk all around. We’ve seen similar networks become infiltrated and data exfiltrated within the partner ecosystem in the past. This is a real challenge since it’s not only difficult to mitigate risk within an organization, but to ensure partner networks are safe and secure.”

Cathy Allen, CEO, Shared Assessments

“This is alarming as it shows adversaries are attacking healthcare, insurance and financial information in one hack. Even though the test results are not accessible, just the types of tests proscribed might indicate a type of illness that you would not want employers or insurance companies to have. Thieves often steal and resell insurance date on the internet….having other information makes the data more valuable and the price higher.” 

Brad Keller, Program Director, Shared Assessments

“Another vendor breach results in millions (14.1M at first count) of records accessed.  Because this time it was a billing vendor for Quest Diagnosis (a healthcare provider), not only were credit card and bank information accessed, but healthcare records as well. This breach demonstrates the value of attacking healthcare vendors. Not only was patient healthcare and insurance information stolen, but financial information as well.  Being able to obtain both sets of personal information significantly raises its value.  In addition to Quest, it is reasonable to assume that American Medical Collection Agency has other customers whose customer information was accessed as well.  So we truly do not yet know the full extent of the incident. The troubling aspect of breached healthcare information is that there is no mechanism in place to prevent its misuse.  Action can be taken to freeze information at the credit bureaus and indicate that financial information has been compromised.  In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised.  No such centralized process exists for healthcare or insurance information, making it extremely difficult to prevent the unauthorized use of this information. Which certainly increases the need for all healthcare related companies to effectively assess their vendors.”

Bob Jones, Senior Adviser, The Santa Fe Group

“A corrosive result of medical history identity theft that can result from this kind of breach is the commingling of the imposter’s information with the victim’s. What happens, for example, if the victim is in need of emergency transfusion & the imposter’s blood type is noted on his EHR?”

Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine