On November 28th, 2016 Quest Diagnostics failed to secure the Protected Health Information (PHI) of 34,000 patients from unidentified threat actors. An “unauthorized third party” accessed patient data including their lab results, name, date of birth, and telephone numbers. According to a press release from Quest Diagnostics, the stolen information does not include Social Security Numbers, or credit card information. Hackers were able to steal the data through an insecure web application named MyQuest by Care360. Patients are able to store and share electronic health records through the app. The MyQuest app is available online and to both Android and iPhone users.
Quest stated that they alerted all victims via post mail and reported the data breach to federal law enforcement officials. Quest Diagnostics is now working with a cyber security firm to address the vulnerability. Despite the recent data breach, Quest Diagnostics Inc. (NYSE:DGX) stock prices hit a new 52-week high.
Digital theft of medical records is on the rise as the black market value of a single patient’s medical record can fetch nearly 60x more than a stolen credit card number. Earlier this year, a Los Angeles based hospital paid hackers $17,000 to mitigate a ransomware attack. Healthcare records are under attack by cybercriminals as shown by a study that established that over half of the medical facilities they surveyed have dealt with a ransomware attack.
Over 300 electronic health record data breaches have occurred in 2016, and over 15 million patients have had their medical records stolen, according to the U.S. Department of Health and Human Services Office for Civil Rights. That equates to roughly 28% of the US population, or every one-in-four persons living in the US that have had some, or all, of their health records compromised. Those actual numbers are likely higher since the HITECH Act only requires data breaches of 500 individuals, or more, to be reported.
The MyQuest by Care360 app was the target of the data breach. 34,000 patients’ Protected Health Information was stolen.
As the patient it is difficult to protect your electronic health records, because you have limited control over how medical providers electronically store your information. There is a required trust that the medical provider, and/or their IT firm, has properly secured your private information. However, as the patient you still have a voice. You can limit the identifying information you provide medical providers. For example, there is usually no reason a doctor needs your Social Security Number. Every time you give information to any person, or business, you expose yourself. Patients should not be afraid to ask their doctor, “Why do you need that information to take care of me?” If a doctor insists on having it, you can ask for a changeable PIN as a substitute to authenticate you. Likewise, don’t be afraid to ask your medical provider how often they conduct security audits. Or if they’ve ever experienced a breach. The reality is, your personal medical information is actively hunted for everyday by threat actors. Asking if your information is secure is absolutely reasonable and justifiable.
If you’re a medical provider, chances are you’ve partnered with Quest Diagnostics, and numerous other third parties (lab providers, hospitals, registries, etc.) to exchange medical data. Likewise, it’s often the case that you’re under the same required trust that your patient’s data is secure and safe. Understanding your risks, and what you can do to mitigate some of these vulnerabilities, is critical to keeping your patients information secure.
If you’re seeking clarity and a tangible course of action on proactively protecting your patient’s medical records, Breadcrumb Cybersecurity can help. When choosing to partner with Breadcrumb, protecting the privacy of your patients, and the reputation of your practice, is our number one priority.