Quest Diagnostics Data Breech
The most recent Data breach involves Quest Diagnostics. Quest is among the largest medical testing labs on the planet. The unfortunate thing about this breach is the magnitude. Over 12 million people may have had Personal, financial and other information compromised. What’s more Quest was not the party that was hacked. In fact it was a subcontractor who worked for the company Quest contracted with to handle their billing.
Third Fourth Party
This is really bad in many ways other than the 12 million Quest customers who had their information stolen. While Quest was not hacked they are still seen as the responsible party by the customers. Quest uses Optum360 for its billing collections. Optum360 in turn uses AMCA(American Medical Collection Agency) for those services. Apparently AMCA told quest of the breach in mid May but were unsure of when the breach/hack occurred. The story is longer and more involved than I am going to engage in here, but this is the 30,000 foot overview.
The point here is that you need to be specific when outsourcing operations. You need to know and agree to exactly who is going to be doing the your work. This is especially true when it involves PII, PHI or Financial information. The reason should be clear. The news and other media top stories all imply on the surface that Quest Diagnostics was the company whose systems were compromised. As you know media always wants the most compelling headlines. If they were to say AMCA was breached, fewer readers/viewers would pay attention.
My question is who else uses AMCA for their collection services. How many other peoples information may have been stolen. What if anything will AMCA, Optum360 and Quest be required to do if identities are stolen. Can this information be sold to insurance companies? Could it be used against the victims in the future. Perhaps for health care related situations or to increase their premiums.
Are Your Systems at Risk
The details of the breach are still unknown. The fact remains that no business with an online presence is at risk of their systems being compromised. The biggest threat to most businesses is not of being hacked by some nefarious character. It is from inside its own employee base. It could be a disgruntled employee intent on causing as mush damage as possible. Possibly someone who feels they don’t get paid enough exfiltrates proprietary information and sells it to the competition. The biggest insider threat is an uninformed employee. Careless actions like inserting a thumb drive that is of unknown origin or clicking on a link in an email.