Pair of National Labs Latest to Suffer Unnecessary Data Breaches
July 25, 2019
By Lena Licata, EisnerAmper, and Serge Rubinstein, CENTRL
Well, here we go again. Quest Diagnostics and LabCorp, two of the country’s largest medical laboratory companies, suffered sizable data breaches in May 2019. The number of people affected have been quoted as a staggering 12 million for Quest and 7.7 million for LabCorp. Unfortunately, key personally identifiable information was accessed including names, dates of birth, Social Security numbers, credit card information, addresses, and telephone numbers. The breaches occurred at the billing collections firm, American Medical Collection Agency (AMCA). All three companies are now employing forensic firms to understand the facts surrounding the breaches.
At the time of this blog post, it appears unauthorized activity at a critical third-party vendor responsible for billing caused the data breaches—not the security controls of both LabCorp and Quest Diagnostics. However, an argument can be made that further (active) oversight by LabCorp and Quest could have prevented the lack of controls that led to those breaches.
The good news, if there is any, coming out of the breaches are the valuable lessons learned. For example, establishing a Vendor Risk Management (VRM) program can help reduce the risks associated with using outsourced vendors. How? Start with a data map of critical data points and tie that data to systems, interfaces and vendors. Establish critical points of security over that data along with a population of critical vendors. Next, review those vendors’ security controls in order to addresses key cyber areas such as access, employee training, and other technical security components.
Companies that employ best practices for VRM programs utilize technology to organize, synthesize and analyze their vast amounts of data. These same companies relinquish the menial and manual tasks associated with risk management and create notifications where standards are unmet.
Forward-looking companies understand that the amount of data involved with proper risk management will continue to grow, while the resources needed to manage them will remain stagnant—or even decrease. For better or worse, companies that excel in risk management will never receive any accolades or notoriety because you never hear anything when vendor risk management is performed correctly. It’s a case of no news is good news! Conversely, it's those companies that mismanage their risk management program that receive the notoriety (albeit the wrong kind) and have to face the reputational and financial consequences.