A day after Quest Diagnostics Inc. notified the Securities and Exchange Commission of a data breach that could affect 11.9 million people, another medical testing company adds to that total.
Laboratory Corporation of America Holdings (LabCorp) filed a Form 8-K with the SEC on Tuesday that said a data breach could affect 7.7 million people. Like Quest Diagnostics, the data breach originated with the American Medical Collection Agency, a bill collection service that reported unauthorized activity on its online payment page.
Kate Borten, computer health and information security expert, called the breach “horrific.”
Borten said violations involving contractors and business partners – sometimes one to multiple companies pulled from an original health care provider or covered entity – are on the rise.
“Business associates must recognize the responsibility they have and the fact that they are absolutely subject to health and social services,” she said. “They are required to have all the security components in place of a good security program that a covered entity would have.”
US Medical Collection Agency violation
American Medical Collection Agency (AMCA) is a third party bill collection agency. According to LabCorp’s SEC file, the AMCA notified the healthcare diagnostics company of unauthorized activity on its web payment page between August 1, 2018 and March 30, 2019, when the unauthorized user had access to patient data from Quest Diagnostics.
LabCorp referred approximately 7.7 million consumers to the AMCA, whose data was kept in the affected system, including first and last names, dates of birth, addresses, phone numbers, dates of service. , vendor information and balance information, depending on the record. It also included credit card or bank account information provided by consumers seeking to pay their balance to the collection agency.
LabCorp claims in the record that no commissioned tests, lab results, or diagnostic information were provided to the AMCA. AMCA has informed LabCorp that information such as social security numbers and insurance credentials is not stored for consumers of LabCorp.
According to the SEC filing, the unauthorized user appeared to have access to social security numbers contained in patient data at Quest Diagnostics, but not at LabCorp, according to Borten.
âIt’s bordering on insane,â she said.
American Medical Collection Agency has not yet provided LabCorp with a complete list of LabCorp consumers affected by the data breach, but is in the process of sending notifications to 200,000 LabCorp consumers including credit card information or bank account could be accessed, depending on the deposit.
AMCA also said it had taken steps to increase the security of its systems and was continuing to investigate the incident. LabCorp has stopped sending new collection requests to the AMCA following notification of the incident and has prevented the agency from working on any pending collection requests involving consumers of LabCorp.
For any organization dealing with confidential material and using a web portal, whether or not it is patient information, that entity should perform additional due diligence to ensure the security of the portal, Borten said.
âYou should do penetration testing, you should do all kinds of monitoring of this site because we all know it’s the entry point into your private network, your confidential assets,â she said. . “Any organization that has that direct connection to the Internet should have these things in place.”
According to the American Medical Collection Agency’s website, the AMCA is the “primary collection agent for patient collections,” handling more than $ 1 billion in annual receivables. The collection agency works with labs, hospitals, physician groups, billing departments and medical providers across the country, according to the website.
Advice to CIOs: Be thorough and diligent with business partner contracts
Borten advised healthcare CIOs to borrow from a strategy often used by large insurers or healthcare organizations, if they don’t already: when entering into a contract with a service provider third parties, they must require these entities to complete a questionnaire on their safety programs.
The questionnaire should be followed by conference calls, site visits, a review of the security policy and an overall security assessment.
Part of the challenge on the healthcare provider side is that hospitals and small provider organizations are struggling to secure their own environments. Yet healthcare CIOs and safety officials must recognize that business partner contracts are legally binding and enforceable, not just agreements.
âI say to covered entities and business associates who use these things, you should label this as a business associate agreement because that is what it is,â she said. “This is how the HHS views it and intends it to be used and it is legally enforceable.”