Supply chain security vulnerabilities strike again as Fortune 500 healthcare company Quest Diagnostics appears to have left the records of its 12 million customers exposed to an unknown party, by way of a third party data breach involving one of their vendors.
Quest is one of the largest providers of clinical laboratory testing services in the United States. When a court or an employer requires drug screening or a clinic needs outside blood testing done, there is a good chance that they make use of one of the company’s 2,000 locations in the country. Quest has additional operations in several other countries: Brazil, Mexico, India and the United Kingdom.
The third party data breach struck American Medical Collection Agency (AMCA) of New York, a billing collections vendor that provides services to Quest Diagnostics. In a public statement on the breach, Quest announced that sensitive personal information of about 12 million of their customers may have been exposed. This includes credit card numbers, bank account information, medical details, and personal identity and contact details to include Social Security numbers.
How the Quest third party data breach happened
Unlike many of these incidents, Quest’s discovery of the third party data breach appears to have been internal. AMCA discovered the breach on May 14 and reported it to Quest. The first the public heard of the breach was when Quest disclosed it as part of an early June filing with the Securities and Exchange Commission.
The filing revealed that an unknown party gained illicit access to the AMCA website and executed a “man in the middle” attack focused on payment pages. The attackers logged payment and personal information entered by visitors. Quest states that their internal medical records (such as laboratory test results) were not accessed during the third party data breach, but the attackers had access to any medical information that might have been entered on the AMCA site.
AMCA is primarily used by Quest to track down customers that have bills that have entered collections (by way of a middleman company called Optum360 that processes payments). Quest stated that the attackers were known to be logging information from August 1 of 2018 to March 30 of 2019. Quest has since ceased to send collection requests to AMCA, and AMCA has removed their web payments page and has contracted an outside security firm for an audit. AMCA stated that they do not yet know exactly how the unauthorized user gained access.
Quest experienced a much smaller but similar security breach in 2016, when hackers were able to gain illicit access to their internal MyQuest patient portal. That breach exposed the contact information and lab results of about 34,000 patients.
A perfect storm of data handling irresponsibility
Whoever is behind this third party data breach stumbled into a treasure chest full of information. This chest is buried at the intersection of three of the types of data that hackers most desire: personal identifying information that can be used for identity fraud, information about medical conditions, and financial account information.
As Tom Garrubba, Senior Director and CISO of Shared Assessments, observed:
“This appears to be quite a motherload of data as this breach seems to touch on all three critical components of customer data: personally identifiable information, credit card data and health information. I’m curious to see how swiftly the Office of Civil Rights – who oversees HIPAA compliance – moves in to review the details of the breach with this particular business associate (HIPAA-speak for third party vendors) who was performing the scope of work, and to see what negligence (if any) is on the hands of Quest. Business associates are by law (HIPAA Omnibus Rule) to handle data with the same care as covered entities (HIPAA-speak for outsourcers) and these BA’s are to undergo proper due diligence from the covered entity. I’m also curious as to the size of the fines to both entities as the OCR has historically been under a lot of pressure to levy fines of healthcare breaches.”
This raises an important question: why did a collections agency have all of this information in the first place? Financial information is understandable if they accept payments for outstanding bills. Medical information, at least in an unobscured form, is harder to understand. The biggest question mark involves the Social Security numbers that were leaked. Testing labs in the United States generally do not require patients to surrender their Social Security number, so where did these come from?
One possibility is the world of “debt brokers”, a type of data broker that focuses specifically on people who are believed to be debtors. The FTC issued a warning about these brokers in 2014, noting that they often possess sensitive personal information that they should not have access to. It will be interesting to see if further details about AMCA’s data sources emerge as this matter is investigated.
Potential fallout from the Quest data breach
There are obvious risks of identity theft and account takeover, but the combination of information exposed as a result of this third party data breach could lead to some particularly worrying phishing attacks.
As Cathy Allen, CEO of Shared Assessments, pointed out:
“This is alarming as it shows adversaries are attacking healthcare, insurance and financial information in one hack. Even though the test results are not accessible, just the types of tests proscribed might indicate a type of illness that you would not want employers or insurance companies to have. Thieves often steal and resell insurance date on the internet….having other information makes the data more valuable and the price higher.”
We know that Quest’s lab results were not leaked, but we also know that “medical information” was leaked. A reasonable inference is that this consists of medical coding attached to the bills, which could potentially be tracked back to conditions and diagnoses. Even without the codes, uniform billing amounts could be tracked back to specific tests and procedures.
If that is indeed what the medical data mentioned in AMCA’s statement consists of, it’s a powerful tool for phishers in conjunction with the financial and personal information that this third party data breach made available. Phishers and scammers could easily pose as the target’s physician or insurance company, citing private medical details to inspire confidence. Blackmail is also a possibility if public figures were among the victims of this breach.
This third party data breach will seem particularly unfair to some, as many of Quest’s “customers” exposed in this mishap were not patrons by choice. They may have been forcibly exposed to the company by a court order, under duress from an employer, or as part of what they believed to be a private and safe screening process.
Supply chain control
This is yet another example of a high-profile company finding itself in trouble due to sharing sensitive information with a smaller vendor that had its own data security issues. The unique wrinkle here is the amount of data that AMCA was holding and where they got it from, given that it is unlikely that Quest was furnishing them with Social Security numbers.
As Colin Bastable, CEO of Lucy Security, noted:
“Once again, a breach that results from third party vulnerabilities. Outsourcing billing to third party vendors is a great way to extract efficiencies by reducing core costs, but it exposes the business and its customers to uncontrollable security risks. The fragmented healthcare industry, like the fragmented home finance and buying industry, is vulnerable because there are so many moving parts, so many areas where bad actors have multiple points of entry to exploit inadequate security.”
As has been discussed many times before, preventive measures are the best in dealing with supply chain attacks. Vendor security practices need to be screened, and liability and audit requirements need to be carefully formed in contracts. This particular third party data breach demonstrates that companies should also be paying attention to what other data vendors may hold and the potential legal liability ramifications of it when combined with the data they are supplying.