Data Security Law Blog

Millions of Patient Records Exposed in Breach at Medical Testing Giants’ Third-Party Vendor

It’s been a tough week for the healthcare industry.

Just days after Quest Diagnostics reported a breach at a third-party vendor affecting approximately 11.9 million of its patients, LabCorp disclosed that a breach at the same vendor exposed the personal and financial data of 7.7 million of its customers.

Customer data for both entities was exposed in a breach at third-party bill collections agency, American Medical Collection Agency (AMCA), when an unauthorized user gained access to patient records from August 1, 2018 until March 30, 2019.

While neither incident revealed patient lab results, a statement released by Quest Diagnostic on June 3rd indicates that exposed data likely included financial and personal data, including medical information and Social Security numbers. In a Securities and Exchange Commission filing on June 4th, LabCorp indicated that an unauthorized user likely accessed names, dates of birth, addresses, phone numbers, dates of service, providers, and account balance information for its customers. Credit card and bank account information for 200,000 LabCorp consumers may have also been exposed. 

Since the reported incidents, multiple class action lawsuits have been filed against Quest and LabCorp. While just three class action suits have been filed against LabCorp, Quest has been the subject of more than ten class action litigations. The suits span across federal courts in multiple states. Together with the disclosure of personal and financial information, many of the suits allege that health information protected by the Health Insurance Portability and Accountability Act of 1996 or HIPAA was also compromised.

A number of the suits contend that defendants failed to safeguard patient information, exposing customers to fraud and identity theft. In this regard, the complaints underscore the risk of this kind of breach for the average consumer. As the complaints allege, with patient information exposed, cybercriminals can open financial accounts, take out loans, and engage in myriad other fraudulent activities.

Are these breaches the new normal? A study released last week by Carbon Black, a cybersecurity firm, on the state of data security in the healthcare industry, concludes that organizations in this sector are increasingly targeted by cyberattacks. According to the report, two-thirds of surveyed healthcare groups have been targeted for ransomware over the past year, while 83 percent of surveyed organizations report a general increase in cyberattacks during the same time period. Nearly half the organizations indicate a subset of attacks encountered were focused primarily on destruction of data. Notably, two thirds of health care groups also reported that the cyberattacks had become more sophisticated over the past year.

Carbon Black predicts a challenge for the health care sector. With an increase in the use of technological devices, it reports that “the surface area for health care attacks” grows ever larger. Meanwhile, limited cybersecurity staffing and budgets threaten to leave health care entities ill-equipped to face these breaches. 

The report warns that a data security strategy designed only to react to breaches that have already occurred is no longer sufficient. Instead, the report urges organizations to begin proactively detecting and neutralizing attacks by hunting threats and developing measures to combat hackers’ efforts to infiltrate their networks. As the report notes, threat hunting is a strategy no longer reserved for the security elite, and in fact, an organization’s survival may depend on it.