Last Monday, Quest Diagnostics revealed that the personal information of approximately 11.9 million patients — including medical data, Social Security numbers, credit card numbers and bank account information — may be have subjected to a data breach.

Quest didn’t formally announce the breach. Instead, the company released an 8-K form filed with the U.S. Securities and Exchange Commission (SEC), stating that the American Medical Collection Agency (AMCA), a Quest billings collection vendor based in Elmsford, New York, had informed the company about the breach. Quest insists it hasn’t received all the information from AMCA about the eight month period during which an “unauthorized user” had access to patient data, nor have they been able to independently verify AMCA’s assertions. Regardless, Quest has suspended sending collections requests to AMCA and is working with law enforcement and with UnitedHealth to address the issue.

“Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information,” the company said in the filing.

Really? According to Bloomberg News, “Quest said it was informed of the incident on May 14.” Moreover, according to AMCA, the breach itself occurred between Aug. 1, 2018, and March 30, 2019.

Why the delay in making the information public? Apparently no one was curious enough to ask, despite the reality that access to such information is an identity thief’s dream. AMCA maintains it is still investigating the incident. In the meantime, it has also hired security experts, taken down its payments page and has relocated online payments to a third-party collector. Optum360, a unit of UnitedHealth Group, was also notified of the breach, but UnitedHealth said its computers were not affected.

Optum360? Columnist Nicole Laskowski explains the linkage. “Quest Diagnostics uses Optum360 LLC for revenue cycle management services, which uses the American Medical Collection Agency (AMCA) for bill collection services, which experienced a breach,” she writes.

She further notes that Clyde Hewitt, executive advisor at health care cybersecurity consultancy CynergisTek Inc, refers to such an arrangement as a “nesting of vendors,” where each level of service becomes more specialized.

Ominously, such specialization makes it more difficult for Chief Information Officers (CIOs) to know where their organization’s data goes.

Hewitt agrees. “The lack of visibility and accountability up and down the food chain is where CIOs really need to go back and take a second look,” he said, “especially when it’s going to involve millions and millions of records like this, where they’re all collected together.”

Unfortunately, Quest wasn’t the only victim. One day after its filing, Laboratory Corporation of America Holdings (LabCorp) also filed its own 8-K form with the SEC revealing a data breach that may have affected as many as 7.7 million additional patients. That breach also originated with AMCA, which told Lab Corp that its web payment page was breached during the same time period an unauthorized user had access to Quest’s patient data.

Kate Borten, a health IT and information security expert, characterized the LabCorp breach as “horrifying.” “Business associates need to recognize the responsibility they have and the fact that they are absolutely subject to Health and Human Services,” she said. “They’re required to have all the security components in place of a good security program that a covered entity would have.”

AMCA has not yet provided LabCorp with a complete list of the customers affected. But according to the SEC filing, it has begun sending notices to 200,000 LabCorp consumers whose personal information may have been accessed. Like Quest, LabCorp has also stopped sending collection requests to AMCA, and stopped them from working on any pending collection requests involving LabCorp customers.

Borten believes any company using a web portal and dealing with confidential information should be far more buttoned up with regard to security. “You should be doing penetration tests, you should be doing all kinds of monitoring of that site because we all know that’s the entry point into your private network, your confidential assets,” she explains. “Any organization that’s got this direct connection to the Internet should have these things in place.”

In April of 2018, Quest Diagnostics, along with insurers Humana, UnitedHealthcare, Optum and MultiPlan launched a pilot program using “blockchain” — defined as a “continuously growing list of records, called blocks, which are linked and secured using cryptography” — to facilitate the management of health care data. In announcing the pilot program, the companies maintained that because physicians, information service providers, managed-care organizations, and health systems keep separate copies of health care provider information, reconciliation is both challenging and expensive.

Whether that particular type of security is effective remains unclear. Nonetheless, as this hack indicates, patient data remains vulnerable — again. In 2016, a total of 134,000 Quest customers had their data breached. At the time, the company assured those customers “it immediately addressed the vulnerability.”

Talk is apparently cheap, and some members of Congress expressed their concern. “As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” New Jersey Senators Robert Menendez and Cory Booker stated in a letter sent to Quest chairman and president Stephen Rusckowski. “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”

Who’s kidding whom? If one’s data was breached, and all the gut-wrenching permutations of identity theft are realized, what recourse does one have? It is virtually impossible to prove where one’s data was accessed, and there is little doubt large health care companies have the legal resources to fend off any assertions that they are at fault.

Thus, as always, it’s the public that will bear the brunt of what amounts to corporate malfeasance.

It gets worse. A third company, OPKO Health, Inc. filed yet another 8-K form with the SEC announcing that 422,600 customers may have been impacted by a data breach through its subsidiary, BioReference Laboratories, Inc. — which also used AMCA as its bill collection entity.

In other words, it’s now as many as 20 million patients who are potentially affected.

Kristina Podnar, digital policy consultant and author of The Power of Digital Policy, believes these filing are “just the tip of the iceberg.” She asserts, “I think we’re going to see a lot more coming out in terms of 8-K filings.”

Hackers and identity thieves couldn’t be happier.