Bloomberg / Getty Images
Updated to include information on Labcorp data breach.
En español | An expert in data breaches, Eva Velasquez had a sinking feeling when she learned Monday of a new breach said to have affected 11.9 million patients served by Quest Diagnostics, one of the nation's largest medical testing firms.
Velasquez, 48, is president and CEO of the nonprofit Identity Theft Resource Center in San Diego.
Since she's had her blood drawn and tested by Quest in the past couple of years, “I'm sure I'm going to be personally affected by this breach,” Velasquez says.
Her mantra: “Don't panic, react.” That is, take proactive steps to guard personally identifiable information.
- Because Social Security numbers are believed to have been compromised in the Quest breach, put a freeze on your credit report at each of the major credit reporting agencies: Experian, Equifax and TransUnion.
- "It's a robust, proactive consumer-protection step … and it's free,” Velasquez says.
- If you paid for a service from Quest and know how you paid, whether by credit card or using a bank account, monitor that account closely.
- If you have a log-on for a Quest account to pay your bill or make an appointment, change your username and create a unique password you haven't used before.
Hackers Hit LabCorps Patients
Medical testing giant LabCorp announced this week that hackers may have gotten personal data on about 7.7 million of its customers.
At issue is data LabCorp transmitted to the American Medical Collection Agency, in Elmsford, N.Y., the same agency that is implicated in the just-revealed breach involving Quest Diagnostics patient data. LabCorp is based in Burlington, N.C.
According to LabCorp, the data pilfered from the agency could include its patients’ names, dates of birth, addresses, phone numbers, service dates, health care providers and payment balances.
Patients who tried to pay what they owed using the collection agency’s web-payment page are being contacted, since about 200,000 LabCorp users’ credit card or bank account information may have been stolen, LabCorp said. This smaller group of patients will be offered identity-theft protection and credit-monitoring services for two years, LabCorp officials said.
The hacking took place over eight months, from August 2018 through March, LabCorp said.
The company reported the breach Tuesday to the Securities and Exchange Commission (SEC).
The firm “takes data security very seriously, including the security of data handled by vendors,” LabCorp said in a statement to the SEC. It also said it has stopped the collections agency from handling pending cases and is not sending it new ones.
According to LabCorp, it did not give the collections agency any medical test orders, lab results or diagnostic information. And the collections agency has said it does not store LabCorp users’ Social Security numbers or their insurance identification data.
LabCorp serves hundreds of thousands of customers in the U.S., with nearly 2,000 patient service centers and more than 6,000 in-office workers to draw patients’ blood.
Quest Diagnostics, based in Secaucus, N.J., said the breach does not include lab test results but is believed to include financial data, Social Security numbers and medical information.
The firm said the data breach occurred at one of its billing collections service providers, the American Medical Collection Agency.
Quest said that it has not received “detailed or complete information” from the agency about the incident, including which individuals may have been affected.
But since learning of the data breach, Quest said it has stopped sending collection requests to the agency.
"Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” the company said in a news release.
The billing agency first notified Quest on May 14 of potential unauthorized activity on its own web payment page and did not indicate until May 31 that nearly 12 million Quest customers may have been hit.
Quest calls itself one of the world's leading providers of diagnostic information services and says that each year it serves 1 in 3 adults in the U.S. and half the country's physicians and hospitals.
According to Quest, forensic experts are investigating.
The Quest breach is small relative to other giant data breaches. For example, 3 billion accounts were hit by a Yahoo breach in 2013, and up to 500 million people were affected by a Marriott International breach in 2018.
Still, when it comes to medical breaches, it may be one of the largest, said Harvard Medical School's Thomas H. McCoy, Jr., M.D., who has studied the issue.
McCoy and a colleague examined health data breaches reported to the Health and Human Services Department between 2010 and 2017 and published their findings last year in JAMA.
They examined 2,149 breaches during this period and found that three of them made up over half of all exposed health records: 78.8 million records were breached at Anthem Inc., 11 million records were breached at Premera Blue Cross, and 10 million were breached at Excellus Blue Cross Blue Shield.
(Since the start of 2019, there have been 174 breaches of medical information reported to the Department of Health and Human Services, and in 2018 there were 372 breaches.)
Under the law, reports must be made to HHS when there are breaches of unsecured protected health information affecting 500 or more individuals.
"It is certainly an expectation that people have of the health care industry: confidentiality of medical data,” McCoy says.
Velasquez, of the Identity Theft Resource Center, says criminals actually are more interested in your Social Security number or other financial data than your medical diagnoses, but she did not rule out that a crook could use a diagnosis as blackmail, say, if you don't want an employer to know about it.
She notes that her financial data has been compromised before.
"I have been affected by other breaches — the Target breach, the Home Depot breach, the Anthem breach — and those are the ones that I kept track of.
"I've adopted the mind-set to treat your data as if it's already breached. That way you, post-breach, don't have to change that much of your behavior.
"It is the world we live in,” Velasquez adds. “Your data is out there, and you, as a user, are creating more and more every day."