Recent breaches at vendors for Quest Diagnostics and LabCorp have exposed both payment and health data, a very dangerous combination.
The risk comes from the range of insurance, health and financial services exposure. These incidents demonstrate the continuing trend of attacking vendors to gain access to the broadest possible range of valuable personal information.
A recent study by Carbon Black indicates the most valuable offering on the Dark Web today is health care information combined with personal financial data.
The breach announced by LabCorp, where 7.7 million customer records were accessed as the result of a breach at one of their billing collection vendors, clearly demonstrates that criminals are focused on healthcare vendors. The vendor is American Medical Collection Agency (AMCA), whose systems were accessed between August of 2018 and March of 2019. In this case, the records that were accessed at AMCA also included both healthcare and financial information.
There may also be some regulatory exposure for the health care companies. Under the HIPAA Omnibus Rule Business Associates have specific obligations to protect personal health information, and Covered Entities (in this case Quest) is required to conduct appropriate due diligence to ensure that their Business Associate has the required data security protections in place.
Perhaps the most troubling aspect of breached health care information is that there is no mechanism in place to prevent its misuse. Action can be taken to freeze information at credit bureaus and indicate that financial information has been compromised.
In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised. However, no such centralized process exists for health care or insurance information, making it extremely difficult to prevent the unauthorized use of this information.