American Medical Collection Agency (AMCA), a US medical debt collector and vendor to giant healthcare organizations, has filed for bankruptcy protection in the aftermath of a massive data breach affecting customers of Quest Diagnostics, LabCorp, and several other healthcare institutions. Exposed data included medical test information, social security numbers, and other related personal information.
Healthcare companies looking to reduce costs and keep pace with today’s digitally connected world outsource many business functions to third-party vendors. This was the case with AMCA. Giants in the healthcare industry, namely Quest Diagnostics and LabCorp, contracted with AMCA for medical billing and collection and as such, increased their attack surface for cybercriminals. Sometime between August 1, 2018 and March 30, 2019, hackers broke into AMCA and stole more than 20 million patient records. AMCA officials admitted to the security incident, and naturally, Quest, LabCorp, and other vendors broke all ties with the vendor.
Aside from losing top customers, AMCA spent months trying to rectify the situation, maintain their reputation, and manage their finances. But, in the end, it was all too much. Bloomberg reports the data breach created a “cascade of events,” which incurred “enormous expenses that were beyond the ability of the debtor to bear.”
OK, so we know the price AMCA has paid, but what about Quest Diagnostics and LabCorp? Do these companies bear any of the blame? One thing is for sure, just because you outsource critical functions to a third party, it doesn’t mean you outsource the risk. You own it. You need to manage it. And if you don’t, be ready for class-action lawsuits, damage to reputation and brand, and financial loss.
Companies looking to enter into third-party business relationships should consider the following:
Companies like Quest Diagnostics and LabCorp need a comprehensive approach to managing third-party risk. A high-level overview of the Third Party Risk Management (TPRM) lifecycle includes proper planning, assessment due diligence, contract negotiation, ongoing monitoring, and termination.
Delivered in the simplicity of the cloud, the Prevalent platform integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors – and a complete inside-out, outside-in view of your vendors.
It's difficult to say that having the program, process, and solutions in place would have stopped these breaches. But with a mature TPRM program in place these companies would have had the visibility into possible control failures that could have led to the breaches.