Do you assume that your doctor or lab service provider isn’t going to share your test results with the rest of the world? After all, your doctor is duty-bound to ensure medical secrecy. So it’s just tough luck when a service provider opens up access to millions of patient records, right? That’s what happened to Quest Diagnostics, one of the biggest blood test providers in the US. Apparently, the company hadn’t protected its patients’ financial data, like credit card and bank account numbers, to say nothing of their medical details and personal information such as social security numbers.
Quest Diagnostics said that hackers had accessed about 12 million patient records stored at its billing service provider, American Medical Collection Agency (AMCA), between August 2018 and March 2019. Storing sensitive data with no protection these days is frankly verging on gross negligence. The attack exposes victims to the risk of identity theft and impacts the trust they have in service providers. Quest said that the stolen data didn’t include any lab test results – but that isn’t much consolation to the victims.
AMCA was a bit reticent in its comments on the incident. Staff said they hadn’t even noticed the data theft until a security company alerted them to it. AMCA has now hired IT forensics specialists. One of the first measures it says it has taken is to transfer the web payment portal to a third-party provider – although it’s unclear how the data will be protected. It’s also engaged additional experts to advise the company on the implementation of security measures. Their statement – “we continue to be committed to the security of our system and the protection of personal and other data” – just sounds like a bad joke.
There’s nothing wrong with companies using third-party providers to handle their billing or other tasks for them. But it’s essential for businesses working with sensitive personal data – such as in the healthcare and financial sectors – to ensure that data is secure. It’s totally unacceptable to send unprotected information to an external service provider, who doesn’t secure it either. It’s impossible to control the risk after the fact.
If the data had already been encrypted when it left Quest Diagnostics, the attackers wouldn’t have had a chance. The fact that the firm is introducing security measures now, when the horse has already bolted, is good – but a bit late. That’s why it’s crucial to take the initiative in good time. Using an encryption solution like the eperi Gateway, companies keep control over the entire encryption process right from the start and they alone can decide who has access to the unencrypted information. Anyone else can only see it in its encrypted state, so all attackers can seize is unreadable and therefore meaningless data.