You. Quest and LabCorp. Explain these medical database super-hacks, say US senators as 425,000 more people hit

Quest gets the dreaded sternly worded letter from Washington DC

As healthcare companies come forward to confirm hackers would have been able to access millions of patients' personal information from a compromised American Medical Collections Agency (AMCA) database, US senators are demanding answers.

Quest Diagnostics was yesterday on the receiving end of an open letter (PDF) issued by Senators Robert Menendez and Cory Booker (both Democrats from New Jersey) seeking some basic information on the blood-testing outfit's security practices and how it plans to handle the massive security fail by its business partner AMCA. Records of nearly 12 million of Quest's customers, stored in an AMCA-hosted data silo, were accessible to hackers for nearly eight months, it emerged this week.

"As the nation's largest blood-testing provider, this data breach places the information of millions of patients at risk," the senators' letter reads. "The months-long leak leaves the sensitive personal information vulnerable in the hands of criminal enterprises."

This comes after Quest told the SEC it was informed by AMCA, the debt collection company hired to extract payments from Quest customers, that its databases of patients had been broken into by hackers. The AMCA-hosted Quest database, which was under the control of one or more intruders from August 1, 2018 to March 30, 2019, contained approximately 11.9 million customer records from Quest.

blood drive

Bloody awful: Hell-thcare hackers break into databases of 20m medical test biz patients


While the New Jersey congressional duo note that it was AMCA who was hacked, they still want Quest to explain when and how it learned of the incident and what it plans to do as far as notifying customers and protecting their data from further misuse.

Additionally, the senators are curious as to how the hack was not noticed by Quest nor AMCA for eight months, and whether Quest performed any tests or audits on the security both its internal records and the data it entrusted to outside partners.

The letter gives Quest execs until June 14 to respond. The company did not return a request for comment on the matter.

Similarly, the senators also wrote [PDF] to LabCorp this week, demanding answers. LabCorp had 7.7 million patient records stored in a hacked AMCA database, and is almost certain 200,000 of those entries contained credit card or bank account info that was siphoned off by the intruders.

Meanwhile, add one more medical testing company to the ranks of those hung out to dry by AMCA. OPKO Health, a test and diagnostics firm headquartered in Florida, told the SEC that it too had data stored on compromised AMCA systems. Specifically, records of 422,600 people that included patients' names, dates of birth, addresses, phone numbers, dates of service, and balance information.

Of those 422,600 patients exposed to the hackers, 6,600 had credit card or bank account information included in their file, and will be offered two years of credit and identity theft monitoring service free of charge. ®

Broader topics

Other stories you might like

  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading

Biting the hand that feeds IT © 1998–2022