Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Businesses Medicine Security United States

Quest Diagnostics, One of the Biggest Blood Testing Providers In US, Says Up To 12 Million Patients May Have Had Info Stolen (nbcnewyork.com) 78

JustAnotherOldGuy writes from a report via NBC New York: Did your personal, medical, or financial data just get hacked? Quest Diagnostics, one of the biggest blood testing providers in the country, warned Monday that nearly 12 million of its customers may have had personal, financial and medical information breached due to an issue with one of its vendors. In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018 and March 30, 2019, someone had unauthorized access to the systems of AMCA, a billing collections vendor. "The information on AMCA's affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)," Quest said in a filing.
This discussion has been archived. No new comments can be posted.

Quest Diagnostics, One of the Biggest Blood Testing Providers In US, Says Up To 12 Million Patients May Have Had Info Stolen

Comments Filter:
  • Motivation (Score:5, Insightful)

    by nehumanuscrede ( 624750 ) on Monday June 03, 2019 @08:10PM (#58704540)

    They could give a shit if your data was stolen because the fines are nothing more than a temporary annoyance.

    Only when the fines are large enough to start bankrupting companies will they start to take security seriously.
    ( I would also settle for the CEO being stripped of their Golden Parachute retirement and tossed into prison for a few years. )

    Remember Equifax ? Yeah ? How many have gone to jail or paid a fine for that one ?

    Exactly.

    • by raymorris ( 2726007 ) on Monday June 03, 2019 @08:39PM (#58704622) Journal

      > Remember Equifax ? Yeah ? How many have gone to jail or paid a fine for that one ?

      At least two are in prison for their actions regarding the breach. The Chief Information Officer and a Software Development Manager.

      > Only when the fines are large enough to start bankrupting companies will they start to take security seriously.

      They started about 2 years ago or so. Some three years ago, but it has really ramped up in the last couple of years due to network effects. The network effects have finally achieved critical mass.

      What do I mean by network effects? Notice the breach was due to bad security by one of their *vendors*, which isn't rare. What do you want to bet that from now on they require some serious security audits from all of their vendors? My company doubled their security spending this year, because the companies we do business with are requiring us to improve our security. In order to meet the requirements, we need OUR vendors to be compliant, so we're now asking our vendors for security audit results.

      It's now starting to be that if you want to do business with the big boys, you need to have your house in order regarding security. From everything I'm seeing the network effects will continue to increase. Also, insurance companies are just now starting to get on board, treating security just like they treat fire safety, etc. Don't meet fire code code? You either don't get insurance, or it costs a lot more. That should be a very good development.

      • by SirAstral ( 1349985 ) on Monday June 03, 2019 @09:32PM (#58704806)

        Yea, that all sounds nice on paper, but auditors are trash. Have you ever noticed that many of them are nice looking? Yea that is not a mystery, they are there to make their company physically look good.

        Most of them by a large margin do not even know what they are doing. On top of that, regulations are always up for interpretation. Do you want to stay in business, don't get a reputation for actually auditing them. In IT auditors only get exactly what they are asking for and nothing else, why? Because they are too stupid to even ask the right questions. The only thing auditors will do is pick and choose a couple of low hanging fruits and ding you on that and go easy on the really nasty/important stuff.

        You should read up on the Password article Slashdot did the other day. Not only is the security practices we put in place puerile jokes, most businesses and most professionals "fundamentally" do not understand security. Executives are constantly undermining security while acting like their business takes it seriously. Management constantly overlooks poor security practices by development teams, internal groups, & 3rd parties because they have pick your alphabet soup compliance's. I have personally witnessed businesses that have ignored security breaches, delayed critical responses to such breaches because "revenue", and out right ignoring a security issue because it was too important to keep operations going than to stop and secure the data. Almost every place I have ever worked has had salaries exposed, hipaa violations, back doors placed by staff, unprotected data, exposed API's and DOS's risks.

        Basically the front door is fort knox security, so it looks nice, but the back door is removed from the hinges and tossed out. And this is just scratching the surface.

        • " In IT auditors only get exactly what they are asking for and nothing else, why? Because they are too stupid to even ask the right questions"

          No because they know if they find something out they can cost the company a lot of liabilities, and they thus well aware that when they are asked to audit "a,b,d,e" and not "c", most of the time they aren't dumb they know they are not requested to do "c" , because "c" would be a costly issue. So company pay lip service and get their "we got an audit" , auditor got h
        • ...but auditors are trash. Have you ever noticed that many of them are nice looking? Yea that is not a mystery, they are there to make their company physically look good.

          That's not fair, mate. I've experienced some very nice looking people in the professional world, and many are extremely knowledgeable about what they do for a living. Lots of sexy folks go to college, and I think there is a correlation there.

      • by ShanghaiBill ( 739463 ) on Monday June 03, 2019 @10:15PM (#58704936)

        At least two are in prison for their actions regarding the breach. The Chief Information Officer and a Software Development Manager.

        The CIO, Jun Ming, and the dev manager, Sudhakar Reddy Bonthu, were not convicted for their negligence in causing the breach, but for insider trading after the fact. They dumped shares in Equifax after they were told of the breach, but before it was announced to the public.

        If they had not tried to profit from their own incompetence, they would have suffered no legal consequences.

      • by swm ( 171547 )

        At least two are in prison for their actions regarding the breach.

        They are in prison for insider trading on advance knowledge of the breach, not for the breach itself.

        The system protects rich people (who own stock), not ordinary people (who have their data compromised).

        • > The system protects rich people (who own stock), not ordinary people

          Most people. Most people own stock. 54% according to Gallup 2017. Yes, these people are far more likely to end up rich than people who don't invest, spending all of their money by the time the next paycheck arrives.

          Choosing $1 in your checking account over $2 in your 401k account is foolish. People who take the $1 are either uninformed or a tad crazy. So the division is:

          Ordinary people (who own stocks), foolish people (who spend their

    • Re:Motivation (Score:4, Interesting)

      by Jason Levine ( 196982 ) on Tuesday June 04, 2019 @07:31AM (#58706414) Homepage

      My identity was stolen years ago and used to open a credit card in my name. The only reason I knew about it was because the thieves messed up and paid for rush delivery of the card before putting the address change through. When the credit card company (*cough* Capital One *cough*) heard it was fraud, their first response was to blame my wife. They told me that perhaps SHE opened the card in my name. Given that she was beside me at the time freaking out, I highly doubted that. (The thieves also got my mother's maiden name wrong and asked for a cash advance before the card was activated. That plus the immediate address change to a different state were red flags that apparently didn't mean anything to them.)

      Once they admitted that it was fraud, they refused to give me the new address on the account - the one opened in my name. I asked why and this was their exact wording: "If you go there and shoot them, then we'll be liable." So they didn't care about liability for possibly ruining me financially (had the card gone to the thieves and they racked up thousands in debt under my name), but some theoretical murder that I might possibly take was highly worrying to them. They also insisted that the police call them on a special line - one that went right to a voicemail box that was never answered.

      Total consequences for me? My credit is frozen for the rest of my life, to be thawed only when I need to open new lines of credit.

      Total consequences for the credit card company? An extremely minor inconvenience of closing the account and then they went on their merry way.

      Oh, and the thieves? No consequence at all since they were never caught. (At least not for stealing/using my identity.)

  • No problem, I'll just change my blood type. THAT'll show 'em.

    And really, Bank of America just changed my CC for me, presumably because the card, while not being used, was involved in a dump like this.
  • hipaa violations $100 to $50,000 per violation

    • by Anonymous Coward

      hipaa violations $100 to $50,000 per violation

      Yeah, but there is a maximum yearly fine, no matter how many violations took place during the year. It's currently capped at a measly 1-2 million dollars or so. For a major health care or insurance company that's chump change plus they have insurance or re-insurance that will pay the fine for them, so it amounts to basically nothing. This is why we need jail time for executives. Fines are effectively meaningless unless you make them so large that they're uninsurable and bankruptcy is the only option. In pra

  • The US government HIPAA laws guarantee that can't happen.

    How's that working out for you?

    • by Anonymous Coward

      Oddly, HIPPA audits and exams seem to be less strict than those performed by FDIC, NCUA, and state agencies for banks and credit unions.

      • by DarkOx ( 621550 )

        Likely because IT security in the medical industry a mess. Often because they have so many other regulations they need to comply with it prevents them from doing the right things security wise. Also because so so much is so time critical yet can't really be planned for only anticipated at best, you can't put up a bunch of barriers.

        Example - You are having some acute episode during some other test or procedure. Maybe you reacted badly to the anesthesia or something. seconds count. The physician present w

  • Notification (Score:4, Insightful)

    by sjames ( 1099 ) on Monday June 03, 2019 @09:02PM (#58704712) Homepage Journal

    Will they be bothering to notify people who might be affected so they can mitigate the risks? Perhaps with a nice refund to cover the time and trouble?

    I'll be here all week!

    • Just what I was thinking - when do they notify me that my information was stolen.

      Also, remember, if you're health insurance includes Medicare, your id has been your Social Security number and may still be. I'm assuming the billing company needs this information to bill Medicare. It's taking awhile for the new Medicare IDs to be issued.
      • by hawkfish ( 8978 )

        Just what I was thinking - when do they notify me that my information was stolen.

        Also, remember, if you're health insurance includes Medicare, your id has been your Social Security number and may still be. I'm assuming the billing company needs this information to bill Medicare. It's taking awhile for the new Medicare IDs to be issued.

        Even before Medicare age: I have long banned my employers from giving my SSN to medical providers, but I recently found that they had started doing it. After I called them about it, they told me that because I'm over 50(?) and they are required to because of something to do with Medicare.

  • by Anonymous Coward

    Not much activity on this thread, and the reason is simple. There are so many of these breaches that everyone is just dulled.

  • interesting. (Score:4, Interesting)

    by WindBourne ( 631190 ) on Monday June 03, 2019 @10:56PM (#58705084) Journal
    WHen I worked for them (first as metpath, and later as corning), both our medical and billing systems were on Mumps (M) on PDP and later, on DECs. Obviously, they went the wrong direction on web access.
    • by zifn4b ( 1040588 )
      Many American companies when it comes to upgrading tech (after they resist it with all their might) hire college graduates, H-1B's and/or shoddy contractors in general. You get what you pay for!
      • by Miser ( 36591 )

        https://thedailywtf.com/articles/Jurassic-Programmers-

        Let's just say despite the obvious changing of the names, I know this story not first hand (as an employee) but as a customer of said business. A sad tale all around. At this point, the company is no more. The old "ooooh! New! Shiny!!" bites again.

    • "WHen I worked for them (first as metpath, and later as corning), both our medical and billing systems were on Mumps (M) on PDP and later, on DECs"

      I guess now it runs under OpenVMS. :-)

  • Drug tests don't really do anything useful, are expensive and now the biggest company that does the majority of them that is supposed to be the best at "chain of custody" can't even secure their data. Yet another United States blunder that makes me ashamed to be an American. Hope we get someone who actually cares about citizens in 2020.
  • by Jason Levine ( 196982 ) on Tuesday June 04, 2019 @07:35AM (#58706424) Homepage

    At this point, everyone's credit file should be considered to be compromised and frozen - with people needing to unlock them when they want to open new lines of credit. Except this would not only not be profitable for the big credit agencies, but would cut into their business of selling us to credit card companies as potential customers. So they'll fight tooth and nail to keep our credit files insecure and their profits sky high.

  • Now the information about all the times I've tested negative for drugs will get out (I pee in a jar every time I get a new contract). Now _nobody_ will think I'm cool!

No spitting on the Bus! Thank you, The Mgt.

Working...