Information exposed in the hacking includes financial data, Social Security numbers and medical information, Quest said.
Nearly 12 million people have had their financial, medical and personal information exposed due to a data breach, Quest Diagnostics announced late Monday. It is the latest life sciences organization to be hit by hackers.
The New Jersey-based company said the American Medical Collection Agency (AMCA), a billing collections service provider, reported that an unauthorized user had access to AMCA’s system containing the personal information of clients. AMCA provides billing collections services to Optum360, a Quest Diagnostics contracting company. Quest and Optum360 are working with forensic experts to investigate the matter, the company said.
The breach was first suspected in mid-May but on May 31, AMCA notified both Quest and Optum360 that the breach on AMCA’s web payment page impacted regarding approximately 11.9 million Quest patients. AMCA said the information that was exposed during the breach includes financial data, Social Security numbers and medical information. However, laboratory test results were not exposed, AMCA said.
Full information regarding the breach was not provided to Quest or Optrum360 by AMCA, the company said. Quest said it anticipates more specific information on which individuals were impacted by the breach. Quest has also not been able to verify the accuracy of the information received from AMCA, the company said.
“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA,” Quest said in a statement. “Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law. We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more.”
In a statement sent to BioSpaceTuesday night, AMCA said it is investigating the incident.
“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information,” AMCA said in its statement.
This is the second big data breach reported within the last month. In May, Charles River Laboratories reported that it had been hit by hackers in March. The data of about 1 percent of its total number of clients was compromised, Charles River said. At the time it had reported the hacking to the government, Charles River said there was no indication that any of the client data that was determined to have been accessed was deleted, corrupted or altered. Charles River said it has notified all clients whose data was known to have been copied and compromised.
Following the Charles River Laboratories hacking, Andrew Douthwaite, chief technology officer for Colorado-based VirtualArmour, a cybersecurity company, told BioSpace that out of five major business sectors, Douthwaite said the pharma industry is the second highest target for hackers. He had predicted at the time that another hacking on the scale of the Charles River incident was inevitable and the Quest announcement proved him correct.
Last year, the federal National Counterintelligence and Security Center (NCSC) pegged biotechnology as a rich target for foreign hackers. According to the report, “biomaterials, biopharmaceuticals and new vaccines and drugs as of particular interest” to foreign hackers. Additionally, the government report said hackers are interested in garnering information on advanced medical devices, infectious disease treatment and genetically modified organisms.
There have certainly been a number of hacking incidents in the life sciences. In April, Partners for Quality, which provides services and support to individuals with intellectual and developmental disabilities, reported unauthorized access to client information. Last year, Sangamo Therapeutics reported a data breach after an executive’s email was hacked. Also last year, healthcare giant Johnson & Johnson was the subject of a data breach that compromised the emails of hundreds of people in Ireland. In 2017, a U.S. clinic was attacked and data information from a Phase II trial was stolen. A U.K. CRO was also hit the same year and mid-stage data was stolen. Also in 2017, pharma giant Merck was the target of an attack. Merck & Co., among other companies, was targeted by a malware attack that was believed to have originated in Ukraine.
Newsletter Sign Up
Sign up to get the latest life sciences news and updates delivered straight to your inbox.
