On Monday, Quest Diagnostics, the huge blood testing provider, said roughly 12 million of its customers may have had personal, financial and medical information revealed because one of its vendors, the American Medical Collection System, was breached. NBC News reported, “In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018, and March 30, 2019, that someone had unauthorized access to the systems of AMCA, a billing collections vendor. ‘(The) information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers),’ Quest said in the filing.”
Quest released a statement that read:
AMCA first notified Quest and Optum360 on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results. AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.
The firm representing the American Medical Collection System stated:
Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.
Huge data breaches have become common in recent years; last November The Daily Wire reported:
On Friday morning, the Marriott Corporation acknowledged there had been a massive data security breach involving the Starwood guest reservation database that occurred on or before September 10, 2018 that dated as far back as 2014. In a public notice, Marriott stated that it had decrypted information and determined that the contents were from the Starwood guest reservation database, involving approximately 500 million guests who made a reservation at a Starwood property. The statement added: For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
The Daily Wire added:
The only data breach larger than the apparent one at Marriott occurred in 2013, when three billion user accounts at Yahoo were exposed, costing Yahoo $47 million in litigation expenses. Retailers Target Corp and Home Depot Inc. each lost $200 million after data breaches in 2013 and 2014. In late 2016, InterContinental Hotels Group (IHG) was cyberattacked.
