Quest Diagnostics data breach is a clarion call to healthcare CIOs
In an SEC filing, Quest Diagnostics disclosed a massive data breach at a medical collections agency it uses. Healthcare CIOs should see the news as a call to action.
If the Quest Diagnostics data breach makes one thing clear, it's that the health data landscape is getting more complex. On Monday, Quest Diagnostics Inc. filed an 8-K form with the Securities and Exchange Commission, notifying shareholders of a data breach that could affect 11.9 million people.
Beyond size, the notable characteristic of this data breach is how Quest's patient data was accessed. Quest Diagnostics uses Optum360 LLC for revenue cycle management services, which uses American Medical Collection Agency (AMCA) for bill collection services, which experienced a breach.
Clyde Hewitt, executive advisor at healthcare cybersecurity consultancy CynergisTek Inc., described it as a "nesting of vendors." At each layer, the services become more specialized, but the overall complexity can make it hard for healthcare CIOs to track where their organization's data goes.
"The lack of visibility and accountability up and down the food chain is where CIOs really need to go back and take a second look," Hewitt said, "especially when it's going to involve millions and millions of records like this, where they're all collected together."
The breach and the reaction
The details surrounding the Quest Diagnostics data breach are scant and stem from the company's SEC filing. The medical testing company, based in Secaucus, N.J., said it was first notified by AMCA of the breach on May 14, along with Optum360.
According to AMCA, an unauthorized user had access to a system between Aug. 1, 2018, and March 30, 2019, that contained data from approximately 11.9 million Quest Diagnostics patients. The system's data included Social Security numbers, credit card information and medical information -- but not lab results. In response to the incident, Quest Diagnostics suspended sending collection requests to AMCA.
The lack of visibility and accountability up and down the food chain is where CIOs really need to go back and take a second look.
Clyde Hewitt Executive advisor, CynergisTek Inc.
Quest Diagnostics also noted in the SEC filing that it has not yet received detailed or complete information about the breach and it has not been able to verify the accuracy of the information received by AMCA.
Security experts called the Quest Diagnostics data breach unsurprising. Larry Ponemon, co-founder and chairman of the Ponemon Institute in Traverse City, Mich., said he hopes healthcare CIOs see it as "a warning to organizations that feel like they're safe, like they don't have a bullseye on their back. Watch out. It's likely going to happen to your organization."
Kristina Podnar, digital policy consultant and author of The Power of Digital Policy, noted that this is the second Quest data breach in less than three years. In 2016, Quest's internal systems were hacked, an incident that affected 34,000 patients. "Overall digital governance is failing these companies or they don't have good digital governance in place," she said.
Josh Zelonis, a security analyst at Forrester, said in an email that, "it's the same story over and over again." Third-party vendors are an unavoidable part of the healthcare ecosystem today, and, according to Zelonis, that puts the onus on healthcare CIOs to "understand what information is being shared with third parties, and how they are using/protecting."
As level one contractors subcontract out to level two, level three, level four subcontractors and so on, healthcare CIOs will run into difficulty identifying where their data goes without a thorough risk assessment, according to Hewitt.
"A true risk assessment analyzes where that covered entity's personal health information is all the way through the food chain," he said. "And that becomes challenging unless there is an aggressive, hands-on approach to identifying the data flow."
Exercising due diligence
Marti Arvin, executive advisor at CynergisTek, also implored healthcare CIOs to conduct appropriate due diligence, such as digging into data protection processes, when selecting third-party vendors.
"If you've done sufficient due diligence on your vendor, you should have some confidence that they're doing appropriate due diligence on those subcontractors that they're hiring," she said.
Arvin recommended healthcare CIOs conduct "risk-based" due diligence on third-party vendors. The level of due diligence conducted will depend on how much access a vendor has to the organization's data. "You have to first look and assess what is the risk to us regarding what that vendor is doing with or to our data," she said. "If it's a high risk, you'll want to do a deeper dive."
That may include visiting the vendor's data center to see the kind of physical protection that exists, asking questions about the applications a vendor is using, and reviewing the privacy and information security training and education the organization gives to its workforce, she said.
Hewitt also recommended healthcare CIOs pay attention to how they're plugged into the incident response process and how fast they get notified. "I commend Quest, in one respect: This happened on May 14 and it's already notifying on June 3," he said. "It's only been a little over two weeks that Quest's had a chance to respond to this."
Still, the Quest Diagnostics data breach could change the way patients regard the medical testing company, even if Quest performed a decent level of due diligence, according to Arvin.
"It doesn't take away the reputational harm that Quest is going to suffer in people being able to say, 'I didn't have a relationship with Optum360; I didn't have a relationship with AMCA. I have a relationship with Quest. And so, Quest, you're the responsible party for my data being compromised,'" she said.
