Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Don't Panic About Quest Data Breach, Expert Says

Be proactive and guard personal, financial data

spinner image A Quest Diagnostics Inc. requisition form
Bloomberg / Getty Images

Updated to include information on Labcorp data breach.

An expert in data breaches, Eva Velasquez had a sinking feeling when she learned Monday of a new breach said to have affected 11.9 million patients served by Quest Diagnostics, one of the nation's largest medical testing firms.

Velasquez, 48, is president and CEO of the nonprofit Identity Theft Resource Center in San Diego.

Since she's had her blood drawn and tested by Quest in the past couple of years, “I'm sure I'm going to be personally affected by this breach,” Velasquez says.

Her mantra: “Don't panic, react.” That is, take proactive steps to guard personally identifiable information.

According to Quest, forensic experts are investigating.

The Quest breach is small relative to other giant data breaches. For example, 3 billion accounts were hit by a Yahoo breach in 2013, and up to 500 million people were affected by a Marriott International breach in 2018.

Still, when it comes to medical breaches, it may be one of the largest, said Harvard Medical School's Thomas H. McCoy, Jr., M.D., who has studied the issue.

spinner image A logo sign outside of the headquarters of Laboratory Corporation of America Holdings (LabCorp) in Burlington, North Carolina
ASSOCIATED PRESS

Hackers Hit LabCorps Patients

Medical testing giant LabCorp announced this week that hackers may have gotten personal data on about 7.7 million of its customers.

At issue is data LabCorp transmitted to the American Medical Collection Agency, in Elmsford, N.Y., the same agency that is implicated in the just-revealed breach involving Quest Diagnostics patient data. LabCorp is based in Burlington, N.C.

According to LabCorp, the data pilfered from the agency could include its patients’ names, dates of birth, addresses, phone numbers, service dates, health care providers and payment balances. 

Patients who tried to pay what they owed using the collection agency’s web-payment page are being contacted, since about 200,000 LabCorp users’ credit card or bank account information may have been stolen, LabCorp said. This smaller group of patients will be offered identity-theft protection and credit-monitoring services for two years, LabCorp officials said.

The hacking took place over eight months, from August 2018 through March, LabCorp said.

The company reported the breach Tuesday to the Securities and Exchange Commission (SEC).

The firm “takes data security very seriously, including the security of data handled by vendors,” LabCorp said in a statement to the SEC. It also said it has stopped the collections agency from handling pending cases and is not sending it new ones.

According to LabCorp, it did not give the collections agency any medical test orders, lab results or diagnostic information. And the collections agency has said it does not store LabCorp users’ Social Security numbers or their insurance identification data.

LabCorp serves hundreds of thousands of customers in the U.S., with nearly 2,000 patient service centers and more than 6,000 in-office workers to draw patients’ blood.

McCoy and a colleague examined health data breaches reported to the Health and Human Services Department between 2010 and 2017 and published their findings last year in JAMA.

They examined 2,149 breaches during this period and found that three of them made up over half of all exposed health records: 78.8 million records were breached at Anthem Inc., 11 million records were breached at Premera Blue Cross, and 10 million were breached at Excellus Blue Cross Blue Shield.

(Since the start of 2019, there have been 174 breaches of medical information reported to the Department of Health and Human Services, and in 2018 there were 372 breaches.)

Under the law, reports must be made to HHS when there are breaches of unsecured protected health information affecting 500 or more individuals.

"It is certainly an expectation that people have of the health care industry: confidentiality of medical data,” McCoy says.

Velasquez, of the Identity Theft Resource Center, says criminals actually are more interested in your Social Security number or other financial data than your medical diagnoses, but she did not rule out that a crook could use a diagnosis as blackmail, say, if you don't want an employer to know about it.

She notes that her financial data has been compromised before.

"I have been affected by other breaches — the Target breach, the Home Depot breach, the Anthem breach — and those are the ones that I kept track of.

"I've adopted the mind-set to treat your data as if it's already breached. That way you, post-breach, don't have to change that much of your behavior.

"It is the world we live in,” Velasquez adds. “Your data is out there, and you, as a user, are creating more and more every day."

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?