In light of the recent Quest Diagnostics breach, which compromised the credit card numbers, medical information and personal data of 11.9 million patients, Industry leaders commented below as part of our experts comments series.
Kevin Gosschalk, CEO at Arkose Labs:
“The Quest Diagnostics breach is a timely reminder that when a company is working with a vendor, there is an added access point that needs to be protected. As hackers continue to evolve, they will target the endpoints that companies might not actively think of protecting. Credit card numbers, medical information, and personal data were stolen from 11.9 million people in this breach lasting almost an entire year. It is especially important for companies with sensitive information, such as medical records, to be proactively protecting each endpoint.”
Robert Prigge, President at Jumio:
“Today’s breach by Quest Diagnostics serves as a watershed event and a wake-up call to the health care industry only now recovering from the very public ransomware attacks. Sadly, health care data breaches are ubiquitous today — and are trending up.
Over the last decade, there have been over 2,550 data breaches impacting more than 175 million records. That’s the equivalent of affecting more than 50 percent of the U.S. population. What is not commonly understood is that medical records command a high value on the dark web – these records can be listed up to 10 times more than the average credit card breach because there’s more personal information in health records than any other electronic database.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
The Quest Diagnostics breach is another example of the growing trend of third party breaches and supports Ponemon Institute’s 2018 Data Risk in the Third-Party Ecosystem” study. The study found that 59% of companies surveyed had experienced a data breach caused by their vendors or third parties. This breach will undoubted bring a hefty fine from HHS’s Office of Civil Rights to ACMA as a business associate of Quest Diagnostics and affected customers can look forward to what has been the customary free credit monitoring service letter in their mailbox.
However, what is necessary is for HHS to revisit the HIPAA Security and Privacy rule tighten the security controls for third parties. The New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) could serve as the model with strong requirements for third parties including requirements pertaining access controls, including multi-factor authentication to protect data.
Tom Garrubba, Senior Director and CISO at Shared Assessments:
This appears to be quite a motherload of data as this breach seems to touch on all three critical components of customer data: personally identifiable information, credit card data and health information. I’m curious to see how swiftly the Office of Civil Rights – who oversees HIPAA compliance – moves in to review the details of the breach with this particular business associate (HIPAA-speak for third party vendors) who was performing the scope of work, and to see what negligence (if any) is on the hands of Quest. Business associates are by law (HIPAA Omnibus Rule) to handle data with the same care as covered entities (HIPAA-speak for outsourcers) and these BA’s are to undergo proper due diligence from the covered entity. I’m also curious as to the size of the fines to both entities as the OCR has historically been under a lot of pressure to levy fines of healthcare breaches.
Byron Rashed, VP of Marketing at Centripetal:
“eCommerce, supply chains and partner networks can greatly affect the network and data security of organizations doing business with one another.
Today, it’s imperative that companies work with their business partners to ensure they are using best cybersecurity practices to mitigate risk
all around. We’ve seen similar networks become infiltrated and data exfiltrated within the partner ecosystem in the past. This is a real challenge
since it’s not only difficult to mitigate risk within an organization, but to ensure partner networks are safe and secure.”
Cathy Allen, CEO at Shared Assessments:
This is alarming as it shows adversaries are attacking healthcare, insurance and financial information in one hack. Even though the test results are not accessible, just the types of tests proscribed might indicate a type of illness that you would not want
employers or insurance companies to have. Thieves often steal and resell insurance date on the internet….having other information makes the data more valuable and the price higher.
Brad Keller, Program Director at Shared Assessments:
Another vendor breach results in millions (14.1M at first count) of records accessed. Because this time it was a billing vendor for Quest Diagnosis (a healthcare provider), not only were credit card and bank information accessed, but healthcare records as well.
This breach demonstrates the value of attacking healthcare vendors. Not only was patient healthcare and insurance information stolen, but financial information as well. Being able to obtain both sets of personal information significantly raises its value. In addition to Quest, it is reasonable to assume that American Medical Collection Agency has other customers whose customer information was accessed as well. So we truly do not yet know the full extent of the incident.
The troubling aspect of breached healthcare information is that there is no mechanism in place to prevent its mis-use. Action can be taken to freeze information at the credit bureaus and indicate that financial information has been compromised. In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised. No such centralized process exists for healthcare or insurance information, making it extremely difficult to prevent the unauthorized use of this information.
Which certainly increases the need for all healthcare related companies to effectively assess their vendors.
Bob Jones, Senior Adviser at The Santa Fe Group:
A corrosive result of medical history identity theft that can result from this kind of breach is the commingling of the the imposter’s information with the victim’s. What happens, for example, if the victim is in need of emergency transfusion & the imposter’s blood type is noted on his EHR?