American Medical Collection Agency (AMCA), a US medical debt collector and vendor to giant healthcare organizations, has filed for bankruptcy protection in the aftermath of a massive data breach affecting customers of Quest Diagnostics, LabCorp, and several other healthcare institutions. Exposed data included medical test information, social security numbers, and other related personal information.
Healthcare companies looking to reduce costs and keep pace with today’s digitally connected world outsource many business functions to third-party vendors. This was the case with AMCA. Giants in the healthcare industry, namely Quest Diagnostics and LabCorp, contracted with AMCA for medical billing and collection and as such, increased their attack surface for cybercriminals. Sometime between August 1, 2018 and March 30, 2019, hackers broke into AMCA and stole more than 20 million patient records. AMCA officials admitted to the security incident, and naturally, Quest, LabCorp, and other vendors broke all ties with the vendor.
Yes, breaches have consequences
Aside from losing top customers, AMCA spent months trying to rectify the situation, maintain their reputation, and manage their finances. But, in the end, it was all too much. Bloomberg reports the data breach created a “cascade of events,” which incurred “enormous expenses that were beyond the ability of the debtor to bear.”
Too little, too late?
OK, so we know the price AMCA has paid, but what about Quest Diagnostics and LabCorp? Do these companies bear any of the blame? One thing is for sure, just because you outsource critical functions to a third party, it doesn’t mean you outsource the risk. You own it. You need to manage it. And if you don’t, be ready for class-action lawsuits, damage to reputation and brand, and financial loss.
Companies looking to enter into third-party business relationships should consider the following:
- What lessons have been learned from this breach?
- Has it taught them about the risks posed by third-party vendors and business associates?
- Could future cyberattacks be avoided, and if so, how?
Adopt a Third Party Risk Management Program
Companies like Quest Diagnostics and LabCorp need a comprehensive approach to managing third-party risk. A high-level overview of the Third Party Risk Management (TPRM) lifecycle includes proper planning, assessment due diligence, contract negotiation, ongoing monitoring, and termination.
Delivered in the simplicity of the cloud, the Prevalent platform integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors – and a complete inside-out, outside-in view of your vendors.
- Risk Assessments: An inside-out approach that helps determine vendor compliance with IT security controls and data privacy requirements. Findings and remediation management between an outsourcer and its third parties ensure that required controls remain aligned with a company’s own risk appetite and tolerance levels.
- Continuous Monitoring: An outside-in approach that provides immediate insights to reduce risk surfaces across the vendor ecosystem. Native vulnerability scanning with multiple external sources for cyber threat intelligence and business risk monitoring for operational, brand, regulatory, legal, and financial information ensures that you are looking beyond tactical vendor health and gaining the strategic business view that drives a vendor’s overall information security risk.
- Evidence Sharing Networks: A collaborative approach that leverages a repository of pre-completed vendor questionnaires to save time and resources. Sharing enables a collaborative, scalable, and cost-effective approach to risk reduction between outsourcers and third parties.
It's difficult to say that having the program, process, and solutions in place would have stopped these breaches. But with a mature TPRM program in place these companies would have had the visibility into possible control failures that could have led to the breaches.