It's no wonder that Quest Diagnostics was an alluring target for hackers. It is a Fortune 500 company that provides diagnostic services to one in three US adults every single year. Each year, it also provides services to half of the country's hospitals and physicians.
The breach took place via its mobile app, MyQuest by Care360, which allows patients to manage their appointments and view their test results. The hack gave "an unauthorized third party" access to patient names, birth dates, lab results and telephone numbers. The hacked data did not contain Social Security numbers or financial or insurance information.
Patient privacy not safe
The hack is only the latest in a surging number of cyberattacks on health care companies. In the first 11 months of this year, 92 separate health care-related data breaches were reported (not including the Quest Diagnostics breach, which was reported this month). Last year, hacks compromised records for more than 12 million patients.
"For hackers, developing a targeted attack is a significant effort, so it's no surprise that they focus on healthcare organizations that store highly valuable patient data (significantly more valuable than credit cards … )," said Israel Levy, CEO of security company BUFFERZONE. He called the Quest Diagnostics hack "yet another indication that despite regulations like HIPAA, healthcare organizations still aren't doing enough to protect themselves."
The Health Insurance Portability and Accountability Act (HIPAA) requires health care providers to guard the privacy of patients' information. Thus, records stored or transmitted on remotely accessible networks should be protected with the highest levels of digital security -- which by and large, does not seem to be happening.
In a high-profile case last year, Anthem Blue Cross Blue Shield -- the second largest insurer in the country -- suffered a data breach affecting the records of an astonishing 78.8 million people. In that case, no medical or credit card information was lost, but patients were warned that the information lost -- names, birth dates, social security numbers, employment information, email addresses and even street addresses -- was sufficient to fuel various types of identity theft and fraud. It also provided a way for scammers to contact patients, posing as representatives of Anthem, and try to gather more information.
Highly profitable targets
Evidence suggests that the hacked information sells for lucrative sums on the black market. Earlier this year, a hacker claimed to be selling a total of 655,000 patient records from three different health care organizations. The seller was asking for $100,000 to $395,000 per database.
Hackers can also find other ways to make money from the health care industry. In February of this year, Hollywood Presbyterian Medical Center paid $16,664 (40 bitcoins) in ransom to hackers who had shut down its computer network. In this type of attack, known as ransomware, hackers encrypt the victim's data and provide the decryption key only upon receiving a ransom payment.
Hospital CEO Allen Stefanek said patient care was unaffected and hospital records remained uncompromised, but that administrators had decided that "the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom."
Computer security experts normally advise against paying ransom, although in some cases this is contradicted by law enforcement, said Adam Kujawa, head of malware intelligence for digital security company Malwarebytes.
"Unfortunately, a lot of companies don't tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals," Kujawa said, "but I know from the experiences I hear about from various industry professionals that it's a pretty common practice to just hand over the cash."
Sources: