author photo
By SecureWorld News Team
Mon | Jun 3, 2019 | 11:15 AM PDT

Quest Diagnostics is so heavily used by doctors and so widely paid by insurers that it is approaching a huge milestone: it is considered an "in-network" medical testing provider for nearly 90% of people with insurance in the United States.

Now, it has filed a breach notice with the U.S. Securities and Exchange Commission that has a number just as impressive.

A breach has potentially exposed some medical and billing information of nearly 12 million Quest patients and customers.

Quest blames third-party vendor

In this case, it appears third-party risk has struck again.

And it proves an adage we've heard at SecureWorld cybersecurity conferences this year: "You need to not only evaluate your third-party vendor security controls, but also your third-party's third-party."

Here is how that looks in the case of the Quest Diagnostics data breach:

  • Quest Diangostics does the patient tests requested by doctors, clinics, and hospitals.
  • Quest hires Optum360 to handle the medical billing.
  • Optum360 contracts with American Medical Collection Agency (AMCA), a billing collections vendor, to collect on the bad accounts.

5 things we know about the Quest data breach

Reading the  Quest Diagnostics filing with the SEC provides several clues about the data breach. Here are five of them:

  1. The breach apparently started on a website:
    "On May 14, 2019, American Medical Collection Agency (AMCA), a billing collections vendor, notified Quest Diagnostics Incorporated (“Quest Diagnostics”) and Optum360 LLC, Quest Diagnostics’ revenue cycle management provider, of potential unauthorized activity on AMCA’s web payment page." 
  2. Hackers had access for more than eight months:
    "Between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself."
  3. Quest is relying on data breach numbers from its vendor's vendor:
    "AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people." 
  4. Quest has at least some insurance:
    "Quest Diagnostics has insurance coverage in place for certain potential liabilities and costs relating to the incident; this insurance is limited in amount and subject to a deductible."
  5. Patients' actual test results were not impacted, although the types of diagnostic tests being billed for were potentially exposed:
    "Quest Diagnostics’ laboratory test results were not provided to AMCA and were therefore not impacted by this incident."

Vendor risk management

This story reminds us of what Rebecca Rakoski, Managing Partner of XPAN Law Group, shared with a packed room at SecureWorld Atlanta just last week.

Rebecca Rakoski session

“Vendor risk management is something organizations really struggle with, from small businesses to large multinationals,” Rakoski told the group. 

“Always try and negotiate the terms with your third-party vendors," she says. "At least try.”

[RELATED: Cybersecurity webinar live/on-demand: Time to Rethink DLP.]