Quest Diagnostics, a leading American clinical laboratory company, announced today that 11.9 million patients may have been compromised in a vendor-related incident.
A statement released by Quest revealed that an “unauthorized user” had gained access to a system used by American Medical Collection Agency (AMCA), a billing vendor subcontracted by a Quest contractor called Optum360. Patient Social Security numbers and medical records were potentially compromised. Lab results were not compromised, according to the statement.
On a scale from 1 to 10, this news should elicit a full body wince. Health services rely on a rich ecosystem of interconnected businesses, and there is a vendor “food chain” of sorts. The old truism that you’re only as good as the vendors you choose is made more complex in a vendor-rich environment, because you may be affected by your vendor’s vendor. We have reached the point in our collective cyber insecurity that vendor vetting should extend to, or prohibit, unsupervised and-or undisclosed subcontacts.
News that Quest potentially exposed extremely sensitive PHI (Protected Health Information) as well as the financial information of 12 million patients was the result of a vendor mistake, and that should be met with serious alarm. It was caused by an organization in Quest’s vendor food chain, but it means there is something desperately wrong with the way big business views the perils of big data in general.
Call it vendor vulnerability. Call it an avoidable cyber-fail. But don’t say it isn’t serious. The revelation that specific lab tests may not have been exposed is cold comfort to those who now have a higher likelihood of suffering some sort of identity fraud incident.