Shocking Data Breach at Quest Diagnostics: 12 Million Customers at Risk!

In May 2019, Quest Diagnostics, a top medical testing company, faced a huge data breach—its second in just three years. This time, nearly 11.9 million customers had their personal info exposed. The breach likely happened through a third-party billing system run by the American Medical Collection Agency (AMCA). Hackers got their hands on sensitive medical and financial data, including social security numbers, credit card details, and bank info.

The Breach Timeline

The breach was discovered on May 19 when researchers found payment card details of about 200,000 Quest Diagnostics patients for sale on the dark web. Then, on June 6, LabCorp, a competitor of Quest Diagnostics, reported its own breach involving nearly 7.7 million records, linked to the same AMCA website. This brings the total number of potentially breached records to a staggering 19.6 million.

What Caused the Breach?

The data breach is believed to have started with the third-party vendor, AMCA, which works with Optum360, a Quest billing contractor. Quest Diagnostics thinks the unauthorized activity happened on AMCA’s web payment page, suggesting a possible skimming attack. Skimming on the internet involves sneaky malware injections onto a website’s payment pages, often done by groups like Magecart.

Magecart is a well-known group of hackers famous for their stealthy and creative ways of injecting malware onto webpages, making it hard to detect. They’ve been behind several big breaches, including those affecting British Airways and TicketMaster.

How Skimming Works

Skimming usually happens on websites through three main methods:

Keylogging: Capturing keystrokes to steal sensitive information.
Sniffing Form Submissions: Intercepting data submitted through forms.
Form Jacking: Hijacking form data to send it to hackers.

All these methods trick your browser into sending critical data, like credit card info, to hackers without you knowing.

How to Protect Web Applications

To prevent such breaches, companies can take several steps:

Data Encryption: Encrypted data is unreadable without the decryption key, making it useless to hackers.
Regular Risk Assessments: Conducting regular web application assessments to scan for vulnerabilities, identify risk sources, and fix them quickly.
Additional Protection Layers: Running different parts of the website under separate accounts or using a Web Application Protection solution to spot data exfiltration.
Fraud Indicators: Implementing regular scans to identify potential data breaches.

Tips for Businesses with Web-Facing Applications

Businesses today face increasingly sophisticated and frequent cyber attacks. Cybersecurity spending on defenses is projected to exceed 1 trillion dollars by the end of 2021. Web applications are often the weak links that hackers exploit. Implementing the mitigating controls mentioned above can help protect your business and clients from internet attacks and enable quicker detection of any breaches.

Tips for Businesses Sharing Critical Data with Third Parties

In this incident, neither Quest nor LabCorp were directly compromised. However, the damage to their brand reputation is significant. Their names will forever be associated with major security breaches in Google searches. If you outsource critical data processing to third parties, it is crucial to assess their cybersecurity preparedness. Don’t assume they are knowledgeable; conduct site visits or audits and review their auditor reports thoroughly. At a minimum, send them a Third-Party Cybersecurity Awareness Questionnaire.

Tips for Individuals Affected by the Breach

If your personal medical and financial data was breached, including social security numbers, follow the advice given for previous breaches like those at Experion and Anthem. Freeze your credit until you need to use it. Freezing your credit at all four credit agencies can give you peace of mind, knowing you’ve made it as hard as possible for hackers to misuse your personal information.

For more information on protecting your data, you can visit the Federal Trade Commission’s identity theft resource.