data leak

Quest Diagnostics Data Breach: 12 Million Patient Records

Clinical laboratory firm Quest Diagnostics Inc. has admitted exposure of personal information of nearly 12 million customers after its web payment page was accessed by an unauthorized individual. On Monday, the diagnostic testing provider confirmed in a filing with securities regulators that up to 12 million patients may be affected by a recent data breach at the American Medical Collection Agency. The AMCA was also the third party responsible for a recent LabCorp data breach affecting 7.7 million customers, the testing company said Tuesday. Apart from personal medical information, the company reported that the affected patients’ Social Security numbers and financial data were breached as well, leaving patients susceptible to financial fraud.

The breach happened through a contractor of a contractor. Quest outsources its billing collections to Optum360, which in turn used American Medical Collection Agency for such services. AMCA told Quest on May 14 that it suffered a possible incident, but it's unclear exactly when a hack might have occurred. Quest said it doesn't have "detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected."

Quest also said it hasn't been able to verify the accuracy of the information received from AMCA. Quest said that it hasn't used AMCA for collections since it learned of the incident and that it is "working with forensic experts to investigate the matter."

Quest was made aware of the breach on May 14, but has not been able to verify AMCA's statement, nor does the company know exactly which patients have been involved. Once the firm has a better understanding of the situation, impacted patients will be told. Since learning of the data breach, AMCA collection requests have been suspended. Law enforcement has been notified and a cyber forensics firm has been hired to investigate the security incident.

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security," Quest said in a statement.

Quest said it's taking the matter "very seriously" and has suspended collections requests to the AMCA. Quest said patients will be notified and that it's working with forensic experts to investigate the breach.

Fresenius five separate data breaches and agreed to pay $3.5 million

Medical supplies giant Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million to U.S. federal regulators after five separate data breaches in 2012.

The  U.S. Department of Health and Human Services Office for Civil Rights levied the fine along with a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. A federal investigation found the company failed to conduct an accurate risk analysis of vulnerabilities to its protected information.

FMCNA filed five breach reports in January 2013 covering incidents from February-July 2012 impacting the electronic protected health information for five FMCNA-owned branches across the United States.

The list of violations is long. One branch didn’t encrypt sensitive information, another had no policies around removing hardware from facilities, two businesses had no safeguards against unauthorized access or theft while yet another had no procedure to address security incidents, according to the federal investigation.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” OCR Director Roger Severino said in a statement. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Fresenius Medical Care is a German-based international conglomerate that sells medical supplies around the world, with a concentration on kidney health. The company makes about $18 billion per year in revenue as of FY 2016.

FMCNA did not respond to a request for comment.