Blood testing giant Quest Diagnostics lost 12,000,000 patients' personal, financial and medical data

Originally published at: https://boingboing.net/2019/06/04/oops-3.html

1 Like

With the constant drip drip drip of data breaches, doesn’t everyone have everyone else’s “private” data by this point?

6 Likes

Great. These are customers who went to collections; in other words, the people who can least afford to lose control of their credit or fight an identity theft case.

10 Likes

12,000,000

That’s a good day in data breaches land.

2 Likes

HIPPA violations are sue-the-fuck-out-ofable.

6 Likes

Is “lost” the right word here? I read the headline and expected to hear that their data storage failed and they didn’t have backups.

Regardless, we need to do something here that doesn’t involve putting more burden on their customers.

5 Likes

Oh, that’s just the Quest customers. ACMA (the collections/payment vendor in question) hasn’t announced the total overall breach numbers.

5 Likes

Okay, I have now read the actual press release from Quest. What really happened is this:

  1. Quest contracts with Optum360 (“Our solutions provide a modern healthcare revenue cycle”, whatever the fuck that means)
  2. Optum360 contracts with American Medical Collection Agency (AMCA) (“a billing collections service provider”)
  3. ACMA fucks up.
  4. ACMA notifies Optum360
  5. Optum360 notifies Quest
  6. Quest notifies securities regulators and issues a press release.

Fortunately/Unfortunately, I don’t think ACMA had any data that would render them liable under HIPAA, any more than, say, a credit card company would if you used a credit card to pay at the doctor’s office.

8 Likes

Came to say same. Lost != exposed.

1 Like

The HIPAA / Privacy term is provisioning. If you have data that indicates Joe Sixpack paid for a specific healthcare procedure, such as a line on the bill that says “$1000 for cancer screening”, that’s definitely within the scope of HIPAA regulations.

If it just says “$1000 owed to Quest Diagnostics”, then it’s most likely out of scope. (That’s assuming the data isn’t structured to expose information, such as “syphilis testing: $101; HIV testing: $102; gonnorhea testing: $103”, etc. )

And as with any legal advice you receive from an Internet forum populated by happy mutants, check with your own law department before proceeding.

6 Likes

“Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information.”

Thank goodness!

3 Likes

A few years ago I was working with a client practice to integrate their EHR with Quest’s request/results interface. Once we finished setting up, we sent some test data back and forth; then my contact at Quest requested that we send some “live” patient data.

Well, I’d been entered into the EHR as a dummy patient since day 1 (with a fake SSN and dummy credit card), so we sent over a fake urinalysis for me. (No actual urine changed hands.) All the data checks passed, and we went “live”. Unfortunately, my contact at Quest forgot to set the “disregard” flag on the transaction, and it got sent to billing - where they discovered that both the credit card and SSN were dummies. The first I heard about it was a phone call from Quest’s internal collections department; fortunately, I was able to explain the situation. Oh, how we laughed and laughed.

The best part? My “results” indicated a yeast infection.

1 Like

Another case of “we value your privacy”. Soon, the reversal of this meaning will become commonplace in the English language, like “dropping a song”, which used to mean: “not releasing a song”, whereas now, in this modern day and age it means: “releasing a song”.

‘Value’, verb, ‘not giving a fuck about’

1 Like

I believe the proper construction would be “out-the-fuck-sueable”. :slight_smile:

2 Likes

The answer is definitely and most assuredly, ummm, yes. And, don’t forget, the “drip drip drip” comes just before the “flood flood flood”. Have a nice day!

In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018, and March 30, 2019, that someone had unauthorized access to the systems of AMCA, a billing collections vendor.

“(The) information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers),” Quest said in the filing.

While customers’ broad medical information might have been compromised, Quest said AMCA did not have access to actual lab test results, and so therefore that data was not impacted.

I’m not sure what your point is. This is precisely why “lost” is not the right word–the data was compromised, not lost.

Exactly. You nailed it, anonotwit, as indicated by the article linked-to in the post.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.