Quest breach shines spotlight on risks posed by business associates
The breach affecting Quest Diagnostics, potentially exposing the data of 11.9 million patients, is something that security execs fear most—a triple threat of information that jeopardizes privacy on different levels.
“This appears to be quite a mother lode of data, as this breach seems to touch on all three critical components of customer data—personally identifiable information, credit card data and health information,” says Tom Garrubba, senior director and CISO at Shared Assessments, a community of outsourcers, vendors, regulators and technology firms.
The size and scope of the breach raises concerns about how patient data is protected, and vulnerabilities that are realized as outside vendors and business associates increase the attack vector for provider organizations.
Quest, a nationwide healthcare laboratory chain that also sells a suite of information management systems and conducts clinical trials, suffered the breach when American Medical Collection Agency, a billing and collections business associate of Quest, reported that an unauthorized user had gained access to AMCA’s system containing personal information that AMCA received from various entities, including Quest.
AMCA also provides billing and collections services to Optum360, which is a Quest contractor. Quest and Optum 360 learned of the breach on May 14, following discovery of unauthorized activity on AMCA’s web payment page. On May 31, AMCA told Quest and Optum360 that data at risk includes personal information, financial data, Social Security numbers and medical information. Laboratory test results were not compromised.
In a statement, Quest says it has not yet received detailed or compete information about the incident including which information of which individuals may be affected. Quest further has not yet been able to verify the accuracy of information from AMCA.
Security executives across the industry say attention will turn to how federal agencies will investigate and assign blame for the incident.
“I’m curious to see how swiftly the Office of Civil Rights—which oversees HIPAA compliance—moves in to review the details of the breach with this particular business associate who was performing the scope of work, and to see what negligence (if any) is on the hands of Quest,” Garrubba says.
“Business associates are, by law, to handle data with the same care as covered entities, and these BAs are to undergo proper due diligence from the covered entity. I’m also curious as to the size of possible fines to both entities as the OCR has historically been under a lot of pressure to levy fines of healthcare breaches,” he adds.
Cathy Allen, CEO at Shared Assessments, took a different tack on the breach. “This is alarming, as it shows adversaries are attacking healthcare, insurance and financial information in one hack. Even though the test results are not accessible, just the types of tests proscribed might indicate a type of illness that you would not want employers or insurance companies to (know about). Thieves often steal and resell insurance data on the Internet, and having other information makes the data more valuable and the price higher.”
Robert Belfort, a partner at the Manatt, Phelps & Phillips law firm in New York, believes the incident points out the risks healthcare organizations face when sharing health information with their contractors.
“In this case, it appears the breach occurred at the subcontractor level with a company that Quest did not have a direct contract with,” he contends. “Covered entities face challenges evaluating the security programs of their business associates. The HIPAA privacy rule does not expressly require such an evaluation, but covered entities take on litigation and public relations risks when they fail to do so.”
To be fair, it is probably unreasonable for covered entities to closely monitor all of their business associates since there are too many to monitor, Belfort acknowledges. “But covered entities should have a risk stratification process that allows them to target their evaluation and monitoring efforts on those business associates who maintain large amounts of sensitive data.”
Bob Jones, senior advisor at the Santa Fe Group, a risk management consultancy, says a corrosive result of medical history identity theft from this kind of breach is the commingling of the imposter’s information with the victim’s information. “What happens, for example, if the victim is in need of emergency transfusion and the imposter’s blood type is noted on the victim’s electronic health record?”
Robert Prigge, President at Jumio, an identity verification and user authentication firm, cautions that the Quest breach is a wake-up call to a health industry that only now is recovering from a string of very public ransomware attacks. The amount of data breaches during the past decade is the equivalent of affecting more than half of the U.S. population, he notes.
“What is not commonly understood is that medical records command a high value on the Dark Web, as these records can be listed up to 10 times more than the average credit card breach because there is more personal information in health records than any other electronic database,” he contends.
Michael Magrath, director of global regulations and standards at OneSpan, a cyber security company in Chicago, notes that the Quest breach is another example of the growing trend of third-party breaches, and affected customers can look forward to what has become the customary free credit monitoring services for those victimized. “However, what is necessary is for the Department of Health and Human Services to revisit the HIPAA security and privacy rules and tighten security controls.”