Quest Diagnostics: Data on 12 Million Patients ExposedBreach at Collections Agency Exposed Healthcare and Financial Information
This story has been updated.
See Also: HIPAA Audits: A Revised Game Plan
A data breach at American Medical Collection Agency has affected nearly 12 million patients who had lab tests performed by Quest Diagnostics. The incident, which appears to be the biggest health data breach to be revealed so far in 2019, exposed financial data, Social Security numbers and certain medical information, the lab test firm reports.
In a statement Monday, Secaucus, New Jersey-based Quest Diagnostics says AMCA, based in Elmsford, New York, informed the lab testing firm in May that an "unauthorized user" had access to AMCA's system containing personal information the collections agency received from various entities, including from Quest.
Quest Diagnostics says AMCA provides billing collections services to revenue cycle management firm Optum360, whichis is a Quest contractor. "Quest and Optum360 are working with forensic experts to investigate the matter," Quest Diagnostics says. Optum360 is a unit of the health insurance company UnitedHealth Group.
In its statement, Quest Diagnostics says AMCA first notified it and Optum360 on May 14 of potential "unauthorized activity" on AMCA's web payment page.
"On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA's affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results," the Quest statement says.
The lab test firm says AMCA has not yet provided it, or Optum360, with complete information about the data security incident, including what information on which individuals may have been affected. And Quest Diagnostics reports that it has not been able to verify the accuracy of the information received from AMCA.
"Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA," the lab test firm says in its statement. The company says it will work with Optum360 "to ensure that Quest patients are appropriately notified consistent with the law."
In a statement provided to Information Security Media Group, an AMCA spokesman says the collection service is investigating the security incident.
"Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page," the spokesman says. "We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor and retained additional experts to advise on, and implement, steps to increase our systems' security. We have also advised law enforcement of this incident."
Quest and Optum360 did not immediately respond to ISMG's requests for additional details about the breach.
Largest Health Data Breach of 2019?
As of Monday, the incident was not yet listed on the Department of Health and Human Service' HIPAA Breach Reporting Tool website that lists major health data breaches impacting 500 or more individuals. But if details of the AMCA incident are confirmed by HHS' Office for Civil Rights, the health data breach would be the largest, by far, in 2019.
As of Monday, the largest breach added to the tally so far in this year was an incident impacting nearly 1.6 million individuals that involved a misconfigured server of Puerto Rico-based clearinghouse and cloud software services provider Inmediata Health Group.
Although details of the AMCA breach haven't yet emerged, some security experts note the incident offers early lessons to healthcare sector entities about security risks involving third-party vendors.
"Covered entities are increasingly relying on third parties to perform functions involving the handling or processing of ePHI on their behalf. It is important that when an organization elects to use a third party, they do their due diligence and understand the risk associated with using that particular vendor," says Jon Moore, senior vice president and chief risk officer at security consultancy Clearwater Compliance.
"In addition to signing a business associate agreement, leading organizations now typically require third parties with whom they contract to answer security questionnaires describing in some detail their IT security program and in some cases also require the vendor have regular testing of its security controls performed by an independent organization," he adds.
Unfortunately, these efforts often place the third-party vendors in a conflicted position, he contends. "On the one hand, they need to sign deals in order to stay in business. On the other, in order to make the deal, they must respond to the security questionnaires in a favorable way. As a result, there is an incentive to cast the organization's security posture in as good a light as possible. Under these circumstances, it is very easy to cross the line into a misrepresentation."
Leaders at vendors need to be aware of this issue - as do their customers, Moore says. "To avoid this dilemma, we find leading vendors are now using security as a differentiator. They are actively making the investment and taking the steps necessary to implement, test and document strong security controls. In so doing, they demonstrate to potential and existing customers that working with them poses less risk than working with a competitor."
Many covered entities and business associates still don't understand what is required to meet the HIPAA risk analysis requirement or simply elect not to perform the risk analysis, he notes. "Those that don't understand the requirement often confuse it with a controls gap assessment or perform the risk analysis at such a high level that they fail to identify risks to specific systems or components that then go insufficiently protected," Moore says. "Those that simply choose not to perform the risk analysis are demonstrating willful neglect in their compliance with HIPAA's Security Rule."