Millions of people might have had their financial and medical information stolen. Quest Diagnostics says it contracted its billing collections to a vendor that further subcontracted the work to another—AMCA—whose systems were hacked.

Oops. Not only that, but the Quest breach supposedly lasted 10 months.

And it’s not the first time that Quest has lost patient data, we’re told. In today’s SB Blogwatch, we cheer hip-hip-HIPAA hooray.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: “Eclectic Method sucks.”

Once More Unto the Breach

What’s the craic? Angelica LaVito—“Quest Diagnostics says 11.9 million patients’ financial and medical information may have been exposed”:

In a filing with the Securities and Exchange Commission, Quest said a billing collections vendor, American Medical Collection Agency, notified it last month of potential unauthorized activity on AMCA’s web payment page.

…

The system contained sensitive data, including credit card numbers, bank account information, medical information and Social Security numbers, Quest said.

That doesn’t sound good. Zack Whittaker reports, “11.9 million patients affected by data breach”:

According to the filing … the “unauthorized user” siphoned off credit card numbers, medical information and personal data. … Laboratory test results were not among in the stolen data, Quest said.

…

The breach dated back to August 1, 2018 until May 31, 2019, said Quest, but noted that it has “not been able to verify the accuracy of the information.” … It’s the second breach affecting Quest customers in three years. In 2016, the company said 34,000 patients had data stolen by hackers.

Again? Quest Diagnostics’ anonymous PR gnomes have this “Statement on the AMCA Data Security Incident”:

AMCA, a billing collections service provider, has informed Quest Diagnostics that an unauthorized user had access to AMCA’s system containing personal information AMCA received … from Quest. AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter.

…

Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. … Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law.

It’s almost as if breach-du-jour is no longer news. Bill Murphy Jr. thinks, “We’re All So Numb We Don’t Even Care”:

It’s amazing how inured we are to data breaches. Somebody hacks a big company’s website, and they download millions of … whatever, and we’re at the point where we all just shrug.

…

But I have a gut feeling that the latest data breach — in which … 11.9 million Quest Diagnostics patients may have had their medical and personal information hacked — might stand out. … Granted, this isn’t even the biggest breach of personal medical information. That dubious award might go to Anthem Insurance, which reportedly had to pay a $115 million settlement after a 2015 data breach that exposed the records of 79 million people.

…

Maybe check out some of the private in-home medical testing startups that have arisen in the post-Elizabeth Holmes era.

ikr? Senator Robert “Bob” Menendez [D-NJ]—@SenatorMenendez—blusters:

Unacceptable. I’m following this story closely.

So? Steve Secord seems slightly sarcastic: [You’re fired—Ed.]

Oh, thank goodness it was only my SSN and CC info, and not my test results. Idiots!

But heads will roll, yes? No, says nehumanuscrede:

They could give a **** if your data was stolen because the fines are nothing more than a temporary annoyance.



Only when the fines are large enough to start bankrupting companies will they start to take security seriously. (I would also settle for the CEO being stripped of their … retirement and tossed into prison.)

…

Remember Equifax? … How many have gone to jail or paid a fine for that one?



Exactly.

And folkhack agrees:

Great. Yet another one.

…

Let’s all look on in disbelief while these people barely get slapped on the wrist!

How could this have happened? Joshua Smith—@JoshuaMSmith—screams internally:

MFW you interact with a company that handles PII/PHI and their payment site is hosted in WordPress: 😱

Meanwhile, burfog has the perfect solution:

We’re not solving this unless we can teach all people, even newborns and coma patients, to do 8192-bit RSA in their heads and to generate and remember suitable private keys.

And Finally:

Jonny Wilson’s latest video remix

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U.S. Center for Disease Control and Prevention (public domain)

— Richi Jennings