Almost 20 million records exposed in breach affecting Quest and LabCorp

Executive Summary

Financial, healthcare and other personal / private information is a treasure trove for criminals and the proliferation of online records (payment, healthcare, etc.) and data sharing between entities (e.g., web portals for accessing healthcare records, payment portals for both B2B and B2C payment processing, etc.) gives these criminals countless opportunities to find data unsecured and available for abuse. In the last week, we’ve learned about two incidents that exposed almost twenty million records.   These two incidents underscore the importance for organizations to take proactive steps to safeguard the data that they have been entrusted with by identifying potential vulnerabilities in their infrastructure and mitigating those vulnerabilities before criminals are able to identify and abuse them.

What happened?

Earlier this week, we learned that patient / customer data for approximately 12 million Quest Diagnostics customers was exposed in a breach at it’s billing vendor, American Medical Collection Agency (AMCA). Exposed data included financial information (credit card numbers, bank account information) medical and other personal information (Social Security numbers).

Today, we’ve learned that LabCorp also used AMCA for billing collections and that 7.7 million LabCorp records had been exposed in the breach. According to the FoxBusiness article though, LabCorp did not provide patients lab results or Social Security numbers or insurance information to AMCA (suggesting that, perhaps, Quest did).

What can I do to protect my [personal | cardholder | PHI | other] data?

Understanding what assets you have and what vulnerabilities exist in those assets is crucial to understanding how to protect those assets from attack. Whether it’s regulatory compliance (PCI DSS, HIPAA, etc.) or best practices (NIST, ITIL, etc.), there are some very straightforward things that can be done to reduce risk. The CIS Top 20 is an excellent ‘checklist’ that can be used to establish a baseline.

  • Maintain an inventory of assets (hardware, software, etc.)
  • Establish role based access to these assets based on least privilege
  • Establish and maintain a patch management program to keep assets up-to-date and patched against known exploits
  • Establish, maintain and test a disaster recovery plan that includes things like offsite backups
  • Establish, maintain and test a multi-layer network / host / application security plan that includes boundary defense, network segmentation, endpoint protection, etc.
  • Conduct security awareness training during onboarding as well as periodically throughout the year (quarterly, semi-annually, annually, etc.)
  • Conduct regular testing of your security controls (vulnerability assessment, penetration testing, security awareness testing including phishing, vishing, media drops, etc.)
  • Incorporate the results of that regular testing into your policies and procedures

If you do not currently have a resource for information security or are concerned that your organization may be vulnerable to attack and would like assistance identifying vulnerabilities and designing a plan to mitigate them, we would love an opportunity to earn your business. Piratica offers a wide range of information security and risk management services including (but not limited to) information and risk management planning and training, security awareness training including phishing, vishing and media drop exercises, vulnerability scanning (general, PCI DSS, HIPAA), vulnerability assessments and penetration testing. We have extensive experience in the legal, healthcare, manufacturing, hospitality, retail and energy verticals.

Misc / Erratta

Leave a Reply