Pavel Ignatov - Fotolia
A day after Quest Diagnostics Inc. notified the Securities and Exchange Commission of a data breach that could affect 11.9 million people, another medical testing company is adding to that total.
Laboratory Corporation of America Holdings (LabCorp) filed an 8-K form on Tuesday with the SEC that a breach of its data could affect 7.7 million people. Like Quest Diagnostics, the data breach originated with the American Medical Collection Agency, a bill collections service that reported unauthorized activity on its online payment page.
Kate Borten, a health IT and information security expert, called the breach "horrifying."
Borten said breaches that involve subcontractors and business associates -- sometimes one to multiple companies removed from an original healthcare provider or covered entity -- are rising.
"Business associates need to recognize the responsibility they have and the fact that they are absolutely subject to Health and Human Services," she said. "They're required to have all the security components in place of a good security program that a covered entity would have."
American Medical Collection Agency breach
American Medical Collection Agency (AMCA) is a third-party bill collection agency. According to LabCorp's SEC filing, AMCA notified the healthcare diagnostics company of unauthorized activity on its web payment page between Aug. 1, 2018, and March 30, 2019, the same dates the unauthorized user had access to Quest Diagnostics patient data.
LabCorp referred about 7.7 million consumers to AMCA, whose data was kept in the affected system, including first and last names, dates of birth, addresses, phone numbers, dates of service, provider information and balance information, according to the filing. It also included credit card or bank account information provided by consumers seeking to pay their balance to the collections agency.
LabCorp claims in the filing that no ordered tests, laboratory results or diagnostic information was provided to AMCA. AMCA advised LabCorp that information such as Social Security numbers and insurance identification information aren't stored for LabCorp consumers.
Based on the SEC filing, the unauthorized user appeared to have access to the Social Security numbers within Quest Diagnostics patient data, but not LabCorp, according to Borten.
"This is bordering on unconscionable," she said.
American Medical Collection Agency has not yet provided LabCorp with a complete list of LabCorp consumers affected by the data breach, but it is in the process of sending notices to 200,000 LabCorp consumers whose credit card or bank account information may have been accessed, according to the filing.
AMCA has also indicated that it has taken steps to increase the security of its systems and is continuing to investigate the incident. LabCorp has ceased sending new collection requests to AMCA following notification of the incident and stopped the agency from working on any pending collection requests involving LabCorp consumers.
For any organization dealing with confidential material and using a web portal, whether it's patient information or not, that entity should be performing additional due diligence to ensure the portal's security, Borten said.
"You should be doing penetration tests, you should be doing all kinds of monitoring of that site because we all know that's the entry point into your private network, your confidential assets," she said. "Any organization that's got this direct connection to the Internet should have these things in place."
According to the American Medical Collection Agency website, AMCA is the "leading recovery agent for patient collections," managing more than $1 billion in annual receivables. The collection agency works with laboratories, hospitals, physician groups, billing services and medical providers across the country, according to the website.
Advice to CIOs: Be thorough, diligent with business associate contracts
Borten advised healthcare CIOs to borrow from a strategy often used by larger insurers or healthcare organizations, if they're not already doing so: When entering a contract with a third-party service provider, they should require those entities to complete a questionnaire about their security programs.
The questionnaire should be followed up with conference calls, on-site visits, security policy review and an overall security assessment.
Part of the challenge on the healthcare provider side is that hospitals and small provider organizations are struggling to keep their own environments secure. Yet healthcare CIOs and security leaders need to recognize that business associate contracts are legally binding and enforceable, not simply agreements.
"I say to covered entities and business associates who are using these things, you should be labeling this as a business associate contract because that's what it is," she said. "That's how HHS views it and intends it to be used and it is legally enforceable."