Fellow Patriot: The voluntary financial generosity of supporters like you keeps our hard-hitting analysis coming. Please support the 2024 Year-End Campaign today. Thank you for your support! —Nate Jackson, Managing Editor

June 10, 2019

Hacking Americans’ Health Data

As many as 20 million patients may have had their info stolen via online health portals.

Last Monday, Quest Diagnostics revealed that the personal information of approximately 11.9 million patients — including medical data, Social Security numbers, credit card numbers and bank account information — may be have subjected to a data breach.

Quest didn’t formally announce the breach. Instead, the company released an 8-K form filed with the U.S. Securities and Exchange Commission (SEC), stating that the American Medical Collection Agency (AMCA), a Quest billings collection vendor based in Elmsford, New York, had informed the company about the breach. Quest insists it hasn’t received all the information from AMCA about the eight month period during which an “unauthorized user” had access to patient data, nor have they been able to independently verify AMCA’s assertions. Regardless, Quest has suspended sending collections requests to AMCA and is working with law enforcement and with UnitedHealth to address the issue.

“Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information,” the company said in the filing.

Really? According to Bloomberg News, “Quest said it was informed of the incident on May 14.” Moreover, according to AMCA, the breach itself occurred between Aug. 1, 2018, and March 30, 2019.

Why the delay in making the information public? Apparently no one was curious enough to ask, despite the reality that access to such information is an identity thief’s dream. AMCA maintains it is still investigating the incident. In the meantime, it has also hired security experts, taken down its payments page and has relocated online payments to a third-party collector. Optum360, a unit of UnitedHealth Group, was also notified of the breach, but UnitedHealth said its computers were not affected.

Optum360? Columnist Nicole Laskowski explains the linkage. “Quest Diagnostics uses Optum360 LLC for revenue cycle management services, which uses the American Medical Collection Agency (AMCA) for bill collection services, which experienced a breach,” she writes.

She further notes that Clyde Hewitt, executive advisor at health care cybersecurity consultancy CynergisTek Inc, refers to such an arrangement as a “nesting of vendors,” where each level of service becomes more specialized.

Ominously, such specialization makes it more difficult for Chief Information Officers (CIOs) to know where their organization’s data goes.

Hewitt agrees. “The lack of visibility and accountability up and down the food chain is where CIOs really need to go back and take a second look,” he said, “especially when it’s going to involve millions and millions of records like this, where they’re all collected together.”

Unfortunately, Quest wasn’t the only victim. One day after its filing, Laboratory Corporation of America Holdings (LabCorp) also filed its own 8-K form with the SEC revealing a data breach that may have affected as many as 7.7 million additional patients. That breach also originated with AMCA, which told Lab Corp that its web payment page was breached during the same time period an unauthorized user had access to Quest’s patient data.

Kate Borten, a health IT and information security expert, characterized the LabCorp breach as “horrifying.” “Business associates need to recognize the responsibility they have and the fact that they are absolutely subject to Health and Human Services,” she said. “They’re required to have all the security components in place of a good security program that a covered entity would have.”

AMCA has not yet provided LabCorp with a complete list of the customers affected. But according to the SEC filing, it has begun sending notices to 200,000 LabCorp consumers whose personal information may have been accessed. Like Quest, LabCorp has also stopped sending collection requests to AMCA, and stopped them from working on any pending collection requests involving LabCorp customers.

Borten believes any company using a web portal and dealing with confidential information should be far more buttoned up with regard to security. “You should be doing penetration tests, you should be doing all kinds of monitoring of that site because we all know that’s the entry point into your private network, your confidential assets,” she explains. “Any organization that’s got this direct connection to the Internet should have these things in place.”

In April of 2018, Quest Diagnostics, along with insurers Humana, UnitedHealthcare, Optum and MultiPlan launched a pilot program using “blockchain” — defined as a “continuously growing list of records, called blocks, which are linked and secured using cryptography” — to facilitate the management of health care data. In announcing the pilot program, the companies maintained that because physicians, information service providers, managed-care organizations, and health systems keep separate copies of health care provider information, reconciliation is both challenging and expensive.

Whether that particular type of security is effective remains unclear. Nonetheless, as this hack indicates, patient data remains vulnerable — again. In 2016, a total of 134,000 Quest customers had their data breached. At the time, the company assured those customers “it immediately addressed the vulnerability.”

Talk is apparently cheap, and some members of Congress expressed their concern. “As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” New Jersey Senators Robert Menendez and Cory Booker stated in a letter sent to Quest chairman and president Stephen Rusckowski. “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”

Who’s kidding whom? If one’s data was breached, and all the gut-wrenching permutations of identity theft are realized, what recourse does one have? It is virtually impossible to prove where one’s data was accessed, and there is little doubt large health care companies have the legal resources to fend off any assertions that they are at fault.

Thus, as always, it’s the public that will bear the brunt of what amounts to corporate malfeasance.

It gets worse. A third company, OPKO Health, Inc. filed yet another 8-K form with the SEC announcing that 422,600 customers may have been impacted by a data breach through its subsidiary, BioReference Laboratories, Inc. — which also used AMCA as its bill collection entity.

In other words, it’s now as many as 20 million patients who are potentially affected.

Kristina Podnar, digital policy consultant and author of The Power of Digital Policy, believes these filing are “just the tip of the iceberg.” She asserts, “I think we’re going to see a lot more coming out in terms of 8-K filings.”

Hackers and identity thieves couldn’t be happier.

Who We Are

The Patriot Post is a highly acclaimed weekday digest of news analysis, policy and opinion written from the heartland — as opposed to the MSM’s ubiquitous Beltway echo chambers — for grassroots leaders nationwide. More

What We Offer

On the Web

We provide solid conservative perspective on the most important issues, including analysis, opinion columns, headline summaries, memes, cartoons and much more.

Via Email

Choose our full-length Digest or our quick-reading Snapshot for a summary of important news. We also offer Cartoons & Memes on Monday and Alexander’s column on Wednesday.

Our Mission

The Patriot Post is steadfast in our mission to extend the endowment of Liberty to the next generation by advocating for individual rights and responsibilities, supporting the restoration of constitutional limits on government and the judiciary, and promoting free enterprise, national defense and traditional American values. We are a rock-solid conservative touchstone for the expanding ranks of grassroots Americans Patriots from all walks of life. Our mission and operation budgets are not financed by any political or special interest groups, and to protect our editorial integrity, we accept no advertising. We are sustained solely by you. Please support The Patriot Fund today!


The Patriot Post and Patriot Foundation Trust, in keeping with our Military Mission of Service to our uniformed service members and veterans, are proud to support and promote the National Medal of Honor Heritage Center, the Congressional Medal of Honor Society, both the Honoring the Sacrifice and Warrior Freedom Service Dogs aiding wounded veterans, the Tunnel to Towers Foundation, the National Veterans Entrepreneurship Program, the Folds of Honor outreach, and Officer Christian Fellowship, the Air University Foundation, and Naval War College Foundation, and the Naval Aviation Museum Foundation. "Greater love has no one than this, to lay down one's life for his friends." (John 15:13)

★ PUBLIUS ★

“Our cause is noble; it is the cause of mankind!” —George Washington

Please join us in prayer for our nation — that righteous leaders would rise and prevail and we would be united as Americans. Pray also for the protection of our Military Patriots, Veterans, First Responders, and their families. Please lift up your Patriot team and our mission to support and defend our Republic's Founding Principle of Liberty, that the fires of freedom would be ignited in the hearts and minds of our countrymen.

The Patriot Post is protected speech, as enumerated in the First Amendment and enforced by the Second Amendment of the Constitution of the United States of America, in accordance with the endowed and unalienable Rights of All Mankind.

Copyright © 2024 The Patriot Post. All Rights Reserved.

The Patriot Post does not support Internet Explorer. We recommend installing the latest version of Microsoft Edge, Mozilla Firefox, or Google Chrome.