- The Washington Times - Tuesday, December 13, 2016

One of the nation’s largest clinical laboratory testing companies this week said a recent security breach exposed the protected health information of thousands of patients.

Quest Diagnostics announced Monday that the names, birthdates and lab results of around 34,000 individuals were compromised last month after an “unauthorized third party” gained access to an online portal used to share health data with patients.

The breach happened on Nov. 26 and affected individuals have since been notified by mail, the Fortune 500 company said in Monday’s statement.

“When Quest Diagnostics discovered the intrusion, it immediately addressed the vulnerability,” the statement said. “Quest is taking steps to prevent similar incidents from happening in the future, and is working with a leading cybersecurity firm to assist in investigating and further evaluating the company’s systems. The investigation is ongoing and the unauthorized intrusion has been reported to law enforcement.”

In addition to names, birthdates and test results, Quest said an undisclosed number of affected patients had their telephone numbers compromised as well.

The breach failed to compromise any Social Security numbers, credit card details, insurance information or any other financial data, the statement said.

But according to Dan Cotter, a Chicago-based cyber law attorney for Butler Rubin Saltarrelli & Boyd LLP, the impact of the breach may have nonetheless been significant enough to trigger a potential HIPAA violation.

“[T]he challenge with healthcare records being accessed is that they are much more valuable than credit card or financial theft, because unlike the credit card that can be cancelled and a new one issued, medical history and information of an individual cannot be changed and can be used potentially on the dark market for medical fraud,” he said.

“While it is a good thing that the breach didn’t include Social Security numbers, credit card information, insurance or other financial information, the fact that names and lab results (and in some cases, phone numbers) were accessed is enough information create potential obligations for Quest under HIPAA as well as state data breach notice laws,” he added.

While health data has long been considered a hot commodity for hackers, cyberattacks waged against the healthcare industry surpassed those targeting both the financial services and manufacturing sectors in 2015, according to IBM researchers responsible for the firm’s annual Cyber Security Intelligence Index. Last month, security experts at Experian predicted that healthcare organizations will be the most targeted sector during the next calendar year.

The Madison, New Jersey-based Quest says it annually serves about one-third of adult Americans, as well as half the country’s physicians and hospitals. It employs roughly 44,000 employees from coast to coast, and last year boasted $7.5 billion in generated revenue.

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide