As AMCA breach numbers reach 20M , Sens. Cory Booker and Bob Menendez sent letters to Quest, LabCorp, and the billing services vendor to find how they overlooked an eight month-long hack.
Democratic New Jersey Sens. Cory Booker and Bob Menendez sent letters to Quest Diagnostics, LabCorp, and their billing services vendor American Medical Collection Agency demanding officials explain how a system hack went undetected for eight months and for other details into the breach that now may impact upwards of 20 million patients.
At the end of May, AMCA began notifying clients of a systems hack that began in August 2018 and lasted through March 2019. A hacker gained access to a server with a wide range of data from several AMCA clients including patient data and some Social Security numbers, among other sensitive information.
Quest Diagnostics was notified first that 11.9 million patients potentially had their bank account details, contact information, and SSNs exposed during the hack, followed by LabCorp with 7.7 million potential breach victims. And earlier this week, BioReference was added to the tally with about 422,000 impacted patients.
Following Quest and LabCorp’s announcement, Michigan Attorney General Dana Nessel launched an inquiry into the event to better understand the scope. On June 5, Booker and Menendez joined the scrutiny into the massive security event, beginning with Quest.
“As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” Menendez wrote to the Quest CEO. “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises.”
“Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures and to confront the real possibility that their confidential medical information and history has been exposed,” he added.
To Menendez, it’s imperative to fully understand the scope of the breach in order to protect breach victims from abuse of their medical, personal, and financial data.
Specifically, Booker and Menendez asked Quest to provide a detailed timeline of the breach, including when it began, when it was discovered, details of the investigation, notification to authorities, efforts for patient notifications, and when Quest was first notified by AMCA.
Quest must also outline its own investigative efforts, including the specific information compromised by the breach and the steps they’re taking to identify, whether they’ll inform patients on their own, and how they plan to limit potential patient harm related to the event.
The Senators also want specifics on Quest’s security program, which includes information on whether it leverages vulnerability reports and if so, how, the frequency of its remediation efforts, the steps it took to protect patient data after it was notified of the AMCA breach, and the processes they have in place to manage its vendors’ and their security programs.
They also demand an explanation into how the breach could have lasted for nearly eight months without detection, security resources used, and how it plans to bolster its security in response to the event.
Quest must also explain whether they have a security leader on staff and to whom they report, as well as whether someone on staff is responsible for vendor management and their total number of security employees.
Lastly, the Senators ask: “During the past seven months of the breach, how many times has Quest Diagnostics conducted a security test which evaluates both Quest Diagnostics’s systems as well as the systems of any companies it outsources to?”
LabCorp and AMCA Inquiry
After LabCorp announced its involvement, the Senators launched a separate inquiry into the testing giant. Referencing LabCorp’s past struggles with security, including a 2018 lawsuit over alleged inadequate privacy protections, Booker and Menedez blast LabCorp given its “knowledge and responsibility to heighten information security standards and processes to better protect the patients it serves.”
The Senators asked LabCorp for answers to the same questions as Quest: details into its security processes, why the breach wasn’t detected sooner, how it manages its vendors, and details into its security team.
On June 7, the Senators launched a final inquiry into AMCA itself for its role in the breach, asking the same questions they inquired of Quest and LabCorp. In addition to those questions, Booker and Menendez want to know whether they’ll inform each patient individually and whether they’ll promote their services after the two years of free credit monitoring and identity protection services has ended.
“We request information from your company to better understand how a breach of this magnitude occurred and the ultimate impact on patients,” Booker and Menendez wrote. “We must ensure that entities with access to patients’ personal, medical, and financial information understand their heightened duty to protect both the patient and their sensitive information, and that your company is taking both immediate and long-term steps to mitigate any harm.”
The companies have until June 14 to respond to the inquiries.
Date: June 12, 2019
Source: Health IT Security