Quest Diagnostics.... The 4th Party Breach
Just like you I saw the many headlines saying “Quest Diagnostics says 11.9 million patients’ financial and medical information may have been exposed in data breach”. Although information is still limited, I will share with you what stuck out to me while reading several articles about the breach. The first was that the breach actually occurred at American Medical Collection Agency (AMCA), a billing collections service provider for Optum360, which is the actual third (direct) party to Quest Diagnostics. In this scenario AMCA is a 4th party, and has similar information as the 3rd party, Optum360. Confused? Don’t be, this happens all the time! Simply stated a company wins a contract then hires subs to handle certain processes and, in this case, AMCA is a subcontractor for Optum360 and handles the billing of patients. I have had several screening test performed by Quest, so I will just assume my information is out there….. yet again…. Long sigh…..
The second thing that stood out was the fact that AMCA was alerted by yet another party, a “security compliance firm that works with credit card companies” of a possible security compromise. This is actually not surprising, as I have had many of security incidents that have been reported by someone outside the organization. It just an example that whatever AMCA was doing internally regarding prevention and detection of security incidents was not really working fast, as this problem reportedly began back in Aug. 2018. And it doesn’t appear they would have figured it out if not alerted to the problem by this compliance firm.
This is just another example of how risks are transferred to downstream partners, attackers can't get to Quest, it may be too hard to get to Optum360, but it seems that the contractor with a treasure trove of payment data has something wrong with its website and now we have access to 11.9 million patients’ financial and medical information, same information Quest has, but not protected the same. It doesn't matter where the information comes from, as long as it can be sold for a price! However, despite the 4thparty breach it is Quest who is in the headlines, and ultimately responsible.