![call quest diagnostics nj well call quest diagnostics nj well](http://helloflynn.com/wp-content/uploads/2019/05/CaseStudyHero-Quest-1.jpg)
"I commend Quest, in one respect: This happened on May 14 and it's already notifying on June 3," he said. Hewitt also recommended healthcare CIOs pay attention to how they're plugged into the incident response process and how fast they get notified. That may include visiting the vendor's data center to see the kind of physical protection that exists, asking questions about the applications a vendor is using, and reviewing the privacy and information security training and education the organization gives to its workforce, she said. "If it's a high risk, you'll want to do a deeper dive." "You have to first look and assess what is the risk to us regarding what that vendor is doing with or to our data," she said. The level of due diligence conducted will depend on how much access a vendor has to the organization's data. "If you've done sufficient due diligence on your vendor, you should have some confidence that they're doing appropriate due diligence on those subcontractors that they're hiring," she said.Īrvin recommended healthcare CIOs conduct "risk-based" due diligence on third-party vendors. Marti Arvin, executive advisor at CynergisTek, also implored healthcare CIOs to conduct appropriate due diligence, such as digging into data protection processes, when selecting third-party vendors. "And that becomes challenging unless there is an aggressive, hands-on approach to identifying the data flow." Exercising due diligence "A true risk assessment analyzes where that covered entity's personal health information is all the way through the food chain," he said.
![call quest diagnostics nj well call quest diagnostics nj well](https://www.webpagedepot.com/images/sitefiles/2017-july/quest-diagnostics-belle-glade-psc-image-3-862.jpg)
Josh Zelonis, a security analyst at Forrester, said in an email that, "it's the same story over and over again." Third-party vendors are an unavoidable part of the healthcare ecosystem today, and, according to Zelonis, that puts the onus on healthcare CIOs to "understand what information is being shared with third parties, and how they are using/protecting."Īs level one contractors subcontract out to level two, level three, level four subcontractors and so on, healthcare CIOs will run into difficulty identifying where their data goes without a thorough risk assessment, according to Hewitt. "Overall digital governance is failing these companies or they don't have good digital governance in place," she said. In 2016, Quest's internal systems were hacked, an incident that affected 34,000 patients. Kristina Podnar, digital policy consultant and author of The Power of Digital Policy, noted that this is the second Quest data breach in less than three years. It's likely going to happen to your organization." Larry Ponemon, co-founder and chairman of the Ponemon Institute in Traverse City, Mich., said he hopes healthcare CIOs see it as "a warning to organizations that feel like they're safe, like they don't have a bullseye on their back. Security experts called the Quest Diagnostics data breach unsurprising. Quest Diagnostics also noted in the SEC filing that it has not yet received detailed or complete information about the breach and it has not been able to verify the accuracy of the information received by AMCA. The lack of visibility and accountability up and down the food chain is where CIOs really need to go back and take a second look.Ĭlyde Hewitt Executive advisor, CynergisTek Inc. In response to the incident, Quest Diagnostics suspended sending collection requests to AMCA. The system's data included Social Security numbers, credit card information and medical information - but not lab results. 1, 2018, and March 30, 2019, that contained data from approximately 11.9 million Quest Diagnostics patients. The medical testing company, based in Secaucus, N.J., said it was first notified by AMCA of the breach on May 14, along with Optum360.Īccording to AMCA, an unauthorized user had access to a system between Aug. The details surrounding the Quest Diagnostics data breach are scant and stem from the company's SEC filing.
![call quest diagnostics nj well call quest diagnostics nj well](https://cbsnews2.cbsistatic.com/hub/i/r/2016/12/13/5f51bbb9-0e44-4201-a50c-3b1e42cf084c/thumbnail/620x350/8a2448bec863d3590e5e9cf04a1a4ce7/quest.jpg)
"The lack of visibility and accountability up and down the food chain is where CIOs really need to go back and take a second look," Hewitt said, "especially when it's going to involve millions and millions of records like this, where they're all collected together." The breach and the reaction Quest Diagnostics uses Optum360 LLC for revenue cycle management services, which uses American Medical Collection Agency (AMCA) for bill collection services, which experienced a breach.Ĭlyde Hewitt, executive advisor at healthcare cybersecurity consultancy CynergisTek Inc., described it as a "nesting of vendors." At each layer, the services become more specialized, but the overall complexity can make it hard for healthcare CIOs to track where their organization's data goes. Beyond size, the notable characteristic of this data breach is how Quest's patient data was accessed.