close search bar

Sorry, not available in this language yet

close language selection

More medical mega-breaches thanks to third-party insecurity

Taylor Armerding

Jun 23, 2019 / 7 min read

When you hear from a company that “the safety, security and privacy of our customers’ information is our highest priority,” you can be pretty sure that the safety, security and privacy of that data recently got compromised.

Even if the breach didn’t happen directly to that specific company. As cybersecurity experts have been preaching to organizations for years now, even if your own security is rigorous, that’s not enough. If a third party that has access to your data has weak security, you are just as insecure as it is. If it gets breached, you do too.

Which was on display yet again with the most recent mega-breach of the week.


AMCA breach affects nearly 20 million people

Medical testing giants Quest Diagnostics and LabCorp announced, via filings with the Securities and Exchange Commission (SEC), that personal and medical information of about 19.4 million patients had been compromised due to a breach of American Medical Collection Agency (AMCA), their billing collections vendor. Quest said the breach affected an estimated 11.7 million people, and LabCorp set its estimate at 7.7 million.

A filing a few days later from Opko Health, that the data of 422,600 patients may have been exposed through the same breach, pushed the combined total to nearly 20 million.

Your supply chain is only as secure as its weakest link.

Have you vetted your vendors?

All this even though, as a number of experts noted during the avalanche of stories about the first anniversary of the EU’s General Data Protection Regulation (GDPR), the U.S. has had a law similar to GDPR governing the security of medical data since 2003—the Health Insurance Portability and Accountability Act (HIPAA).

Which suggests that you can have data protection laws in place, but stuff still happens.

Security blogger Brian Krebs, in a blog post, said he thought it likely that other companies would be added to the list. As he put it, “AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.”

AMCA breach in process for eight months

The attackers apparently had plenty of time to collect and peruse AMCA’s data (and thus that of its clients)—eight months.

In the SEC filings, the companies said AMCA had told them the breach lasted from Aug. 1, 2018, until March 30, 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information. Reportedly, while it included medical information, it did not include lab results.

Quest, which issued a press release June 3, three days after it was notified by AMCA of the breach, said the connection to AMCA actually runs through another vendor, Optum 360. “AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA,” the release said.

Krebs said while AMCA wouldn’t answer any of his questions, the company issued a statement via an outside PR firm that said in part that after being notified by a security compliance firm of a possible breach, “we conducted an internal review, and then took down our web payments page.

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”

Quest said it has stopped sending collection requests to AMCA—which conjures the image of closing a barn door after thieves made off with 11.7 million horses.


Familiar fallout

And the fallout, which is only beginning, is both ominous and familiar.

  • Fierce Healthcare reported that while there hasn’t been an immediate financial impact on Quest and LabCorp, “the breach is credit negative for the companies because it exposes them to reputational risk and shines a spotlight on how they select and assess their vendors, according to a report from Moody’s Investors Service.”
  • U.S. Senators Robert Menendez (D-NJ), Cory Booker (D-NJ) and Mark Warner (D-VA) fired off letters to Quest demanding information on, among other things, the companies security practices, notification procedures and plans for damage control.
  • The attorneys general of Connecticut and Illinois announced an investigation into the breach.
  • Bleeping Computer reported last week that 11 class action suits were filed against Quest in federal courts from multiple states and with The United States Judicial Panel on Multidistrict Litigation (JPML) on June 3. Since then, eight more lawsuits had been filed in federal courts from New Jersey, New York, and California. At the time, there were also three lawsuits pending against LabCorp, with speculation that all of them could be consolidated by the JPML since AMCA is a common co-defendant.
  • While the investigations into the breach have barely begun, penalties for noncompliance with HIPAA and the accompanying HITECH (Health Information Technology for Economic and Clinical Health) Act depend on the level of negligence and can range from $100 to $50,000 per violation or per record, with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also lead to criminal charges.

Misery avoidance

Could all this misery have been avoided? There is no way to tell for sure, since whatever vulnerability allowed attackers to exploit AMCA has not been disclosed—perhaps not yet discovered.

But any breach would have been less likely if the companies contracting with AMCA had been more aggressive about overseeing its security practices.

Ironically, supply chain leaders are aware of the risk. But that awareness apparently hasn’t led to the kinds of action that will move the security needle.

A report dated May 30 from research and advisory firm Gartner titled Get Ahead of the Expanding Risk Frontier: Supply Chain Security found that “supply chain leaders rank cyberattack risks at the top of their list of concerns. However, only 10% of them characterize the relationship between their function and IT as strategic.”

Another irony is that there is plenty of advice, along with services, available to help them do that.


How to protect yourself from supply chain attacks

The BSIMM (Building Security In Maturity Model), which helps organizations improve their software security initiatives (SSI) by showing what other organizations are doing and what works, also provides the BSIMMsc, for software supplied by third parties.

Sammy Migues, principal scientist at Synopsys and a co-author of the BSIMM, noted in the white paper Applying the BSIMM to Managing Risk in the Software Supply Chain that the BSIMMsc “leverages attestation and automation to function as a foundational security control for software supply chain risk management.”

Put a bit more simply, it is designed to help organizations avoid software vendors that are “clueless.”

Nicholas Marinos, director of IT and cybersecurity at the U.S. Government Accountability Office (GAO), said the reality is that most entities, including those in healthcare, have to rely on third parties for “security services, IT, or to help them perform their missions.”

That means organizations that handle protected health information (PHI) “must have a way to assure that third parties are protecting that data according to best practices,” he said, which includes following up to see if promised security tests were actually conducted.

“It means having expertise on hand to make sure tests were done, but that there was follow-up on the results,” he said.

The healthcare industry, he notes, is critical infrastructure. “Ultimately we’re talking about information,” he said. “Sometimes the focus on security ends up being on technology and systems, but any entity would benefit from knowing what data it has, how it’s used and where it’s going, as well as what kind of technology you have connected to your organization.”

And the Gartner report offers a playbook for organizations seeking to conduct effective oversight of the security of their third-party vendors.

Among the recommendations from analysts Katell Thielemann, Mark Atwood and Kamala Raman:

  • Know what you, and your third parties, have and need to protect.
  • Assess the security and risk management posture of third parties.
  • Know all industry regulations applicable to you, and make them part of your supply chain risk management strategy.

The report offers more detail on how to achieve those and other goals.

None of this will make you perfect. But it will get you a lot closer. Which is usually enough to get attackers to look for easier targets.


Your supply chain is only as secure as its weakest link.

Have you vetted your vendors?

Continue Reading

Explore Topics