Medical testing provider Quest Diagnostics announced on Monday that the information of about 11.9 million of its patients — including their dates of birth and Social Security numbers — had been put at risk due to a breach of the website of a fourth-party supplier of debt-collection services dating as far back as August 2018.
The supplier, American Medical Collection Agency (AMCA), provides debt-collection services to Optum360, a medical billing service, which in turn is contracted by Quest. AMCA only notified Quest and Optum of the breach on May 14, and has not provided detailed information, Quest claimed in a notice posted on June 3.
"Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA."
The incident underscores the threat that third-party — and, in this case, fourth-party — suppliers can pose to their clients, especially if the suppliers do not have a mature security program.
"This was a breach through a vendor in their supply chain and shows that, however good your security strategy is, it can only ever be as good as the weakest link in the chain—and that could easily be a third party," Laurence Pitt, security strategy director at Juniper Networks, wrote in a statement sent to Dark Reading. "It's essential to evaluate security for every link in the supply chain, and data-protection regulations enforce this. You cannot outsource security responsibility."
AMCA has struggled to respond to the breach. In early March, threat intelligence firm Gemini Advisory notified the company that it had found caches of financial details for sale on the Dark Web that led back to its customer base. Gemini Advisory never received a response to its outreach, and so notified law enforcement as well.
"It's not the first time we had the same (non-)response," says Stanislav Alforov, director of research and development for Gemini Advisory. "It seems like that everyone is always in denial — like there are seven stages to being breached and the first one is denial."
Because AMCA claims to handle more than $1 billion in receivables every year, a breach of its service likely affects other medical providers as well. However, the company has not provided any comprehensive information to Quest or Optum360.
"AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected," Quest Diagnostics stated on June 3. "And Quest has not been able to verify the accuracy of the information received from AMCA."
AMCA has hired crisis management firm Brunswick Group, which provided a statement to Dark Reading on the breach, saying that following the notification, it conducted an internal review and shut down its web payments page.
"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security," AMCA said in the statement. "We have also advised law enforcement of this incident."
While the information leaked does not include diagnostic results, according to Quest, the inclusion of the dates of birth and Social Security numbers makes the data much more complete and therefore more valuable, says Giovanni Vigna, co-founder and CTO of network security provider Lastline.
"Customers impacted may now have to deal with identity theft — this requires a significant amount of time to handle — including the recovery of damaged credit scores while also fixing fraudulent charges on credit cards," he says.
Gemini Advisory expects more medical firms to notify their customers that their information has been compromised. While the company only found information on slightly more than 200,000 people on the Dark Web, cybercriminals often post only a subset of stolen accounts, Alforov says.
"I think you will start hearing from other affected clients going forward," he says. "This data so far is only from Quest Diagnostic clients, just the ones that were sent to collections. Those were the card holders that were affected."