Key Lessons from the Quest Diagnostics Data Breach

Key Lessons from the Quest Diagnostics Data Breach

Another day, another multi-million user data breach. Yesterday, Quest Diagnostics announced they suffered a data breach which potentially exposed nearly 12 million people. Quest Diagnostics serves as one of the largest blood testing providers in the United States.

The Quest Diagnostics data breach took place over the course of nearly a year—from August 1 2018 to March 30 2019. Quest Diagnostics announced the data breach involved an unidentified unauthorized user gaining access to personal information; this includes financial, Social Security, and medical data, although the enterprise said no laboratory tests on patients became exposed.

The Quest Diagnostics Data Breach and Third Parties

However, it does not appear Quest Diagnostics is directly responsible for the data breach. Rather, the breach began as a compromise of a third party vendor. NBC News reports Quest filed a report with the Security and Exchange Commission concerning American Medical Collection Agency; AMCA provides billing collection services to Optum360, a Quest contractor.

Recently, AMCA informed Quest of the breach. Unfortunately, as of time of writing they have not yet provided Quest Diagnostics with detailed information about the extent of the breach. Additionally, Quest is still verifying the accuracy of the AMCA’s information.       

Internal investigations and collaboration with law enforcement and external forensics are already underway, according to a statement from AMCA. According to their own statement, Quest suspended sending collection requests to AMCA.

The Quest Diagnostics data breach highlights a significant identity and access management issue we covered in previous articles: the danger of third-party access on enterprise networks. Without a next-gen identity management solution, third-party actors generally don’t appear in the enterprise’s Active Directory. Therefore they don’t automatically trigger the usual authentication policies. Additionally, they may not be subject to normal provisioning, deprovisioning, and access auditing policies.

To learn other perspectives on the Quest Diagnostics data breach, we reached out to identity and access management experts from around the world. Here’s what they had to say:   

What Identity Security Experts Say about the Quest Diagnostics Data Breach

Kevin Gosschalk, CEO of Arkose Labs

“The Quest Diagnostics data breach is a timely reminder that when a company is working with a vendor, there is an added access point that needs to be protected. As hackers continue to evolve, they will target the endpoints that companies might not actively think of protecting. Credit card numbers, medical information, and personal data were stolen from 11.9 million people in this breach lasting almost an entire year. It is especially important for companies with sensitive information, such as medical records, to be proactively protecting each endpoint.”

Ivan Novikov, CEO of Wallarm

“Online payments always present a slew of security risks, especially when personal and health information might be exposed alongside the financial concerns. The risks may include credential stuffing, client-side vulnerabilities such as XXS, as well as server-side vulnerabilities including remote code execution and server-side request forgery. When payment is subcontracted, as in the case of Quest Diagnostics, both sides need to be doubly concerned by the security of the APIs. Internet transactions are only as secure as the people and the tools safeguarding them.”

Colin Bastable, CEO of Lucy Security

“Once again, a breach that results from third-party vulnerabilities. Outsourcing billing to third-party vendors is a great way to extract efficiencies by reducing core costs, but it exposes the business and its customers to uncontrollable security risks. The fragmented healthcare industry, like the fragmented home finance and buying industry, is vulnerable because there are so many moving parts, so many areas where bad actors have multiple points of entry to exploit inadequate security.”

Robert Prigge, President of Jumio

“Today’s breach by Quest Diagnostics serves as a watershed event and a wake-up call to the healthcare industry only now recovering from the very public ransomware attacks. Sadly, healthcare data breaches are ubiquitous today—and are trending up.

Over the last decade, there have been over 2,550 data breaches impacting more than 175 million records. That’s the equivalent of affecting more than 50 percent of the U.S. population. What is not commonly understood is that medical records command a high value on the dark web—these records can be listed up to 10 times more than the average credit card breach because there’s more personal information in health records than any other electronic database.”

Pankaj Parekh, Chief Product and Strategy Officer at SecurityFirst

“It’s not enough to protect your data—you have to understand that data shared with partners and vendors is also at risk. Enterprises like Quest Diagnostics must carefully assess the security practices of their vendors to make sure that customer data remains secured. This is a lot more work for already stretched security and IT teams.”

Laurence Pitt, Security Strategy Director at Juniper Networks

“Although there’s no evidence in weakness of the security that Quest Diagnostics are using, this was a breach through a vendor in their supply chain and shows that however good your security strategy is, it can only ever be as good as the weakest link in the chain—and that could easily be a third party. It’s essential to evaluate security for every link in the supply chain, and data-protection regulations enforce this. You cannot outsource security responsibility!”

Michael Magrath, Director of Global Regulations & Standards at OneSpan

The Quest Diagnostics data breach is another example of the growing trend of third-party breaches and supports Ponemon Institute’s 2018 Data Risk in the Third-Party Ecosystem” study. The study found that 59% of companies surveyed had experienced a data breach caused by their vendors or third parties. This breach will undoubtedly bring a hefty fine from HHS’s Office of Civil Rights to ACMA as a business associate of Quest Diagnostics and affected customers can look forward to what has been the customary free credit monitoring service letter in their mailbox.

Dana Tamir, VP Market Strategy at Silverfort

“Today, more than ever, hackers are exploiting weak and stolen credentials to gain unauthorized access to sensitive systems and data. The best way to prevent unauthorized access is by enforcing multi-factor authentication (MFA): Requiring users to authenticate with a 2nd factor (via a mobile app, smart card, one-time-passwords, etc) ensures that only authorized users can access sensitive systems. Yet most of our sensitive systems still rely on password-only authentication mechanisms, which can be easily bypassed.”

Thank you to our identity and access management experts for their commentary on the Quest Diagnostics data breach. If you would like to learn more about protecting your enterprise against third-party breaches, why not check out our 2019 Identity Management Buyer’s Guide? We explore the top vendors in the field and their key capabilities!

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner