– THINKSTOCK
In the wake of recent security breaches involving Quest Diagnostics and LabCorp, cybersecurity experts are urging health care entities including laboratories, hospitals and physician practices to take extra precautions when it comes to protecting valuable and sensitive patient information.
Michael Geraghty, the state’s chief information security officer, said he is seeing more breaches across all sectors, not just in health care.
“In addition to all the operational disruptions, the legal, financial and regulatory issues, there is also the harm that is done to the individuals whose data has been taken,” Geraghty said.
He added that health care data could be used in more nefarious ways than a credit card or some other personally identifiable information (PII).
“The sensitivity of health care data is paramount and organizations who are entrusted to protect that need to put appropriate security measures in place in order to protect the privacy and safety of those that they serve,” Geraghty said.
Health care entities, he pointed out, need to do everything from training their people on how to handle PII and all the laws and regulations around it and to make sure they are aware of those.
“There’s also the processes they put in place to make sure that they are being followed and there is the technology. It’s a three-pronged approach — people, process and technology,” Geraghty said.
John Wolak, leader of the privacy and data security team at Newark-based Gibbons PC, said the security events for Quest and LabCorp could happen to any business in or outside the health care space, because the events relate to data outsourced to a third party service provider and most businesses outsource data in one form or another regardless of industry and regardless of size.
Wolak
“Mitigating the risk of outsourcing data is a matter of supply chain and vendor management,” said Wolak.
Wolak said that the outsourcing concept is a great way to save money, streamline operations, and make operations more efficient, but it does come with risk.
“Particularly in the health care area, the concerns about potential risks are enhanced because you are transferring to a third party not only personally identifiable information but personal health information too.”
Wolak said that personal health information is particularly valuable because unlike a credit card number or other types of account numbers, you can’t simply change or delete personal health information, close an account, or change a user name or password to preclude future misuse.
“Any type of event or compromise or a breach can have a dramatic impact on business operations. Generally speaking, there are two lanes of risk: internal security risks for data that a company maintains on-site, and external security risks for the data that a company sends off-site to third-party vendors or that third-party vendors have access to,” Wolak said.
Quest breach
Early in June, the American Medical Collection Agency (AMCA), a billing collections service provider, informed Secaucus-based Quest Diagnostics that an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest. AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter.
Quest said that it is committed to the privacy and security of their patients’ personal information. Since learning of the AMCA data security incident, Quest has suspended sending collection requests to AMCA.
Quest said that it would be working with Optum360 LLC, which provides billing collection services to the health industry, to ensure that Quest patients are appropriately notified consistent with the law. “We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more,” Quest said in a statement.
A few days after the Quest breach, Burlington, N.C.-based LabCorp revealed that AMCA discovered “unauthorized activity” on its web payment page and that about 7.7 million customers’ personal data may have been compromised.
On June 7, U.S. Sens. Bob Menendez and Cory Booker, both Democrats, demanded answers from AMCA. “Consumers should be able to have a reasonable expectation that, when they share their personal data with any company or its billing partner, such as AMCA, the data will be protected,” the senators wrote in a letter to AMCA President Russell Fuchs.
“We must ensure that entities with access to patients’ personal, medical, and financial information understand their heightened duty to protect both the patient and their sensitive information, and that your company is taking both immediate and long-term steps to mitigate any harm.”
Menendez and Booker have initiated separate inquiries with Quest and LabCorp to get a better understanding of the breach’s scope and any remediation the companies plan to provide to victims.
Taking action
Wolak urged health care providers to conduct regular risk assessments.
“Data security is not a static problem, and it doesn’t therefore allow for static solutions,” he said. “Those risk assessments should include monitoring all the endpoints where potential compromises can occur, and attempting to mitigate the identified risks — whether it’s access by third parties to the company’s data, or company laptops that can be lost or stolen.”
For example, many of the health care breaches that occurred over the last couple of years were not the result of hacking activities. Instead, the breaches were the result of lost laptops, lost devices, paper records improperly destroyed, and similar events.
“This emphasizes the fact that seemingly low-tech incidents continue to be a real risk to privacy and security,” Wolak noted.
In the health care area, the issues arising out of a security incident may be compounded by the potential application of the rules and regulations under the Health Insurance Portability and Accountability Act. Wolak said that it depends on the type of information that may have been disclosed.
Potential liability under HIPAA depends on the facts and circumstances of the event at issue. Wolak said that at this juncture, there is simply not enough public information available to assess who may be liable in the Quest and LabCorp cases.
On June 11, the New Jersey Law Journal reported that Quest Diagnostics is facing investigations from the attorneys general of Connecticut and Illinois, as well as a puntative class action in New Jersey.
The June 7 announcement from Connecticut Attorney General William Tong and Illinois Attorney General Kwame Raoul came two days after a prospective class action was filed in New Jersey federal court against Quest, AMCA and Optum360, according to the Law Journal.
In a statement cited in the NJLJ, Tong said the investigation is needed because “sensitive personal information of millions of patients may have been compromised, and I am deeply concerned about the adequacy of the plans in place to notify and protect all affected individuals,” he said. “It is important to determine the cause of this serious data breach and what steps these companies are taking to ensure this does not happen again.”
According to the NJLJ, Florida plaintiff Traci Julin, a frequent Quest patient, filed the prospective class action June 5 in the U.S. District Court for the District of New Jersey.
