On June 3, 2019, Quest Diagnostics, a leading clinical lab testing company, announced that an unauthorized user had accessed the personal information of 11.9 million customers, including social security numbers, bank account information, credit card numbers, and medical information, per a filing with the Securities and Exchange Commission (SEC).
Third Party at Fault
American Medical Collection Agency (AMCA), a provider of billings collection services to Optum360, a Quest contractor, notified Quest that someone had unauthorized access to AMCA’s payment pages between August 1, 2018 and March 30, 2019. AMCA has not yet specified which individuals’ data has been exposed, and UnitedHealth, Optum360’s parent, has advised that its Optum360 systems were unaffected by this breach. In response, Quest has suspended collection requests to AMCA.
A Big Problem Getting Bigger
The size of Quest’s breach highlights the scale third-party risks can pose to organizations. Quest’s breach is significant for its relative size and its representation of a greater trend – hackers targeting healthcare companies to exploit patients’ financial information – the Holy Grail for attackers.
Although Quest’s breach was a fraction of the size of the largest healthcare breach, it still exposed a significant amount of data. The greatest healthcare breach in history was the 2014 attack on Anthem Inc., in which hackers stole or compromised the records of 79 million people. Quest’s breach only exposed a fraction of Anthem’s, but this attack surpassed last year’s largest breach, which compromised the data of 2.65 million customers. Clearly, this problem is getting bigger.
Furthermore, Quest was breached through AMCA’s payment pages. Healthcare information is not readily monetized, so a billings collection company, like AMCA, is a more attractive target for hackers.
A Comprehensive Approach to Third-Party Risk Management is Needed
This breach underscores the need for organizations to implement a comprehensive third-party risk program, especially one that monitors vulnerable domains like payment and login portals. Prevalent can help. Our third-party risk management platform includes capabilities for monitoring domains to ensure industry standard encryption protocols are supported and that HTTP Strict Transport Security (HSTS) is enforced. In fact, Forrester recently named Prevalent a Leader in The Forrester New Wave™: Cybersecurity Risk Rating Solutions and noted that, “Prevalent is best for companies that want one TPRM tool with integrated cyber-risk ratings. Given its robust risk intelligence and comprehensive risk management features, Prevalent is a worthy option for Security and Risk professionals seeking one tool for all cyber TPRM activities.”
As the industry’s only purpose-built, unified platform that integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors, Prevalent provides the most complete solution for a highly functioning, effective third-party risk program.
Focus on preparation, communication, and lessons learned to be better prepared for the next vendor breach...