Quest Diagnostics, One of the Biggest Blood Testing Providers In US, Says Up To 12 Million Patients May Have Had Info Stolen (nbcnewyork.com) 78
JustAnotherOldGuy writes from a report via NBC New York: Did your personal, medical, or financial data just get hacked? Quest Diagnostics, one of the biggest blood testing providers in the country, warned Monday that nearly 12 million of its customers may have had personal, financial and medical information breached due to an issue with one of its vendors. In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018 and March 30, 2019, someone had unauthorized access to the systems of AMCA, a billing collections vendor. "The information on AMCA's affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)," Quest said in a filing.
Yes, Trump is a nazi. (Score:1)
Trump is a nazi. He advocates anti-minority anti-immigrant policies, he flirts with nazi right wingers, refused to condemn DAVID DUKE, and his support of nazis (and Russia) has been a plain-sight unhidden non-secret of his base supporters.
Furthermore, the entire Likud party in Israel could be compared equivalently to the Nazis. They foment and push for ethnic violence and reduction of human rights standards, their political support is founded in racist pseudo-victimstance.
Finally, your reductionist "us vs
Re: (Score:1)
Only a Liberal can call a man who is surrounded by Jews and literally sucks Israel's cock a "Nazi" and keep a straight face.
When you call Nazis "Good people on both sides", you're a nazi.
1 D 10 T AC again
Re: (Score:3)
Lab Interfaces are very Transnational.
The Standard Lab Interface. Has a bunch of identifiers, Including your healthcare institution Medical Record Number, Your Personal Information, a Requisition number. Which Quest or whatever lab would send this information back with the results. Erasing the original isn't always an option, because some request will create reflexive tests to be done and sent back, as well to process some tests time may be a factor.
That said, dealing with Quest was the second worse Lab C
Motivation (Score:5, Insightful)
They could give a shit if your data was stolen because the fines are nothing more than a temporary annoyance.
Only when the fines are large enough to start bankrupting companies will they start to take security seriously.
( I would also settle for the CEO being stripped of their Golden Parachute retirement and tossed into prison for a few years. )
Remember Equifax ? Yeah ? How many have gone to jail or paid a fine for that one ?
Exactly.
At least two in prison. CIO and sw development mgr (Score:4, Interesting)
> Remember Equifax ? Yeah ? How many have gone to jail or paid a fine for that one ?
At least two are in prison for their actions regarding the breach. The Chief Information Officer and a Software Development Manager.
> Only when the fines are large enough to start bankrupting companies will they start to take security seriously.
They started about 2 years ago or so. Some three years ago, but it has really ramped up in the last couple of years due to network effects. The network effects have finally achieved critical mass.
What do I mean by network effects? Notice the breach was due to bad security by one of their *vendors*, which isn't rare. What do you want to bet that from now on they require some serious security audits from all of their vendors? My company doubled their security spending this year, because the companies we do business with are requiring us to improve our security. In order to meet the requirements, we need OUR vendors to be compliant, so we're now asking our vendors for security audit results.
It's now starting to be that if you want to do business with the big boys, you need to have your house in order regarding security. From everything I'm seeing the network effects will continue to increase. Also, insurance companies are just now starting to get on board, treating security just like they treat fire safety, etc. Don't meet fire code code? You either don't get insurance, or it costs a lot more. That should be a very good development.
Re:At least two in prison. CIO and sw development (Score:4, Interesting)
Yea, that all sounds nice on paper, but auditors are trash. Have you ever noticed that many of them are nice looking? Yea that is not a mystery, they are there to make their company physically look good.
Most of them by a large margin do not even know what they are doing. On top of that, regulations are always up for interpretation. Do you want to stay in business, don't get a reputation for actually auditing them. In IT auditors only get exactly what they are asking for and nothing else, why? Because they are too stupid to even ask the right questions. The only thing auditors will do is pick and choose a couple of low hanging fruits and ding you on that and go easy on the really nasty/important stuff.
You should read up on the Password article Slashdot did the other day. Not only is the security practices we put in place puerile jokes, most businesses and most professionals "fundamentally" do not understand security. Executives are constantly undermining security while acting like their business takes it seriously. Management constantly overlooks poor security practices by development teams, internal groups, & 3rd parties because they have pick your alphabet soup compliance's. I have personally witnessed businesses that have ignored security breaches, delayed critical responses to such breaches because "revenue", and out right ignoring a security issue because it was too important to keep operations going than to stop and secure the data. Almost every place I have ever worked has had salaries exposed, hipaa violations, back doors placed by staff, unprotected data, exposed API's and DOS's risks.
Basically the front door is fort knox security, so it looks nice, but the back door is removed from the hinges and tossed out. And this is just scratching the surface.
Incorrect the reason is worst (Score:2)
No because they know if they find something out they can cost the company a lot of liabilities, and they thus well aware that when they are asked to audit "a,b,d,e" and not "c", most of the time they aren't dumb they know they are not requested to do "c" , because "c" would be a costly issue. So company pay lip service and get their "we got an audit" , auditor got h
Re: (Score:2)
That's not fair, mate. I've experienced some very nice looking people in the professional world, and many are extremely knowledgeable about what they do for a living. Lots of sexy folks go to college, and I think there is a correlation there.
Re:At least two in prison. CIO and sw development (Score:5, Informative)
At least two are in prison for their actions regarding the breach. The Chief Information Officer and a Software Development Manager.
The CIO, Jun Ming, and the dev manager, Sudhakar Reddy Bonthu, were not convicted for their negligence in causing the breach, but for insider trading after the fact. They dumped shares in Equifax after they were told of the breach, but before it was announced to the public.
If they had not tried to profit from their own incompetence, they would have suffered no legal consequences.
Re: (Score:3)
They are in prison for insider trading on advance knowledge of the breach, not for the breach itself.
The system protects rich people (who own stock), not ordinary people (who have their data compromised).
Most people (Score:2)
> The system protects rich people (who own stock), not ordinary people
Most people. Most people own stock. 54% according to Gallup 2017. Yes, these people are far more likely to end up rich than people who don't invest, spending all of their money by the time the next paycheck arrives.
Choosing $1 in your checking account over $2 in your 401k account is foolish. People who take the $1 are either uninformed or a tad crazy. So the division is:
Ordinary people (who own stocks), foolish people (who spend their
Re:Motivation (Score:5, Insightful)
It happens so much lately ...
Does it?
There are literally millions of businesses out there that collect sensitive information on their customers and employees.
Most of them have no idea what they are doing security-wise.
For every announcement like this, there are 10 that silently cover it up, and 100 more that never even realize they were breached.
Re:Motivation (Score:4, Interesting)
My identity was stolen years ago and used to open a credit card in my name. The only reason I knew about it was because the thieves messed up and paid for rush delivery of the card before putting the address change through. When the credit card company (*cough* Capital One *cough*) heard it was fraud, their first response was to blame my wife. They told me that perhaps SHE opened the card in my name. Given that she was beside me at the time freaking out, I highly doubted that. (The thieves also got my mother's maiden name wrong and asked for a cash advance before the card was activated. That plus the immediate address change to a different state were red flags that apparently didn't mean anything to them.)
Once they admitted that it was fraud, they refused to give me the new address on the account - the one opened in my name. I asked why and this was their exact wording: "If you go there and shoot them, then we'll be liable." So they didn't care about liability for possibly ruining me financially (had the card gone to the thieves and they racked up thousands in debt under my name), but some theoretical murder that I might possibly take was highly worrying to them. They also insisted that the police call them on a special line - one that went right to a voicemail box that was never answered.
Total consequences for me? My credit is frozen for the rest of my life, to be thawed only when I need to open new lines of credit.
Total consequences for the credit card company? An extremely minor inconvenience of closing the account and then they went on their merry way.
Oh, and the thieves? No consequence at all since they were never caught. (At least not for stealing/using my identity.)
Info stolen? (Score:2)
And really, Bank of America just changed my CC for me, presumably because the card, while not being used, was involved in a dump like this.
hipaa violations $100 to $50,000 per violation (Score:2)
hipaa violations $100 to $50,000 per violation
Re: (Score:1)
hipaa violations $100 to $50,000 per violation
Yeah, but there is a maximum yearly fine, no matter how many violations took place during the year. It's currently capped at a measly 1-2 million dollars or so. For a major health care or insurance company that's chump change plus they have insurance or re-insurance that will pay the fine for them, so it amounts to basically nothing. This is why we need jail time for executives. Fines are effectively meaningless unless you make them so large that they're uninsurable and bankruptcy is the only option. In pra
But but but... (Score:2)
The US government HIPAA laws guarantee that can't happen.
How's that working out for you?
Re: (Score:1)
Oddly, HIPPA audits and exams seem to be less strict than those performed by FDIC, NCUA, and state agencies for banks and credit unions.
Re: (Score:2)
Likely because IT security in the medical industry a mess. Often because they have so many other regulations they need to comply with it prevents them from doing the right things security wise. Also because so so much is so time critical yet can't really be planned for only anticipated at best, you can't put up a bunch of barriers.
Example - You are having some acute episode during some other test or procedure. Maybe you reacted badly to the anesthesia or something. seconds count. The physician present w
Notification (Score:4, Insightful)
Will they be bothering to notify people who might be affected so they can mitigate the risks? Perhaps with a nice refund to cover the time and trouble?
I'll be here all week!
Re: (Score:3)
Also, remember, if you're health insurance includes Medicare, your id has been your Social Security number and may still be. I'm assuming the billing company needs this information to bill Medicare. It's taking awhile for the new Medicare IDs to be issued.
Re: (Score:2)
Just what I was thinking - when do they notify me that my information was stolen.
Also, remember, if you're health insurance includes Medicare, your id has been your Social Security number and may still be. I'm assuming the billing company needs this information to bill Medicare. It's taking awhile for the new Medicare IDs to be issued.
Even before Medicare age: I have long banned my employers from giving my SSN to medical providers, but I recently found that they had started doing it. After I called them about it, they told me that because I'm over 50(?) and they are required to because of something to do with Medicare.
Re: (Score:2)
Is there a handy method to freeze all three?
(not being snarky, seriously asking ...)
Re: (Score:2)
Since the company that had the leak was a medical BILLING company, they can at least take steps to watch for credit card fraud. As for the rest, if some company seems to know things about their medical history that it shouldn't know, they can be alert to the possability that that company is an accomplice to the crime.
Short Thread (Score:1)
Not much activity on this thread, and the reason is simple. There are so many of these breaches that everyone is just dulled.
interesting. (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
https://thedailywtf.com/articles/Jurassic-Programmers-
Let's just say despite the obvious changing of the names, I know this story not first hand (as an employee) but as a customer of said business. A sad tale all around. At this point, the company is no more. The old "ooooh! New! Shiny!!" bites again.
Re: (Score:2)
"WHen I worked for them (first as metpath, and later as corning), both our medical and billing systems were on Mumps (M) on PDP and later, on DECs"
I guess now it runs under OpenVMS. :-)
Yay drug testing (Score:2)
Credit Freezes Should Be Automatic (Score:3)
At this point, everyone's credit file should be considered to be compromised and frozen - with people needing to unlock them when they want to open new lines of credit. Except this would not only not be profitable for the big credit agencies, but would cut into their business of selling us to credit card companies as potential customers. So they'll fight tooth and nail to keep our credit files insecure and their profits sky high.
Great! (Score:2)