Quest Diagnostics says 12 million patients may have had their personal information exposed

cnn ^

[BenLurkin]

The clinical laboratory company said in a release that an "unauthorized user" gained access to a system used by American Medical Collection Agency (AMCA), a billing vendor hired by a Quest contractor called Optum360.

Quest said the information that may have been exposed included Social Security numbers and medical information, but not test results.

AMCA first notified Quest on May 14 of "potential unauthorized activity" on its payment page, Quest said. Two weeks later, according to Quest, AMCA then told Quest and Optum360 more about the breach, including the number of patients potentially affected and what information was accessed.

Quest (DGX) said it has suspended using AMCA and that it was using "forensic experts" to examine the issue.

It also said that AMCA has not provided "detailed or complete information" about the hack, including which customers might have been affected.

[AnotherUnixGeek]

Companies insist on obtaining highly confidential information from customers, and then skate after suffering massive security failures which release that highly confidential information to random hackers. Equifax spewed out the credit information of millions of people in 2017, and the only remedy they provided the victims was a year's free subscription to their own online security product - the security product of a company which obviously knows nothing about basic data security.

There need to be severe liability consequences, not worthless class-action suits which provide victims with coupons and other garbage. Both Republicans and Democrats are too busy covering the butts of these companies and not trying to protect the interests of their constituents - Equifax continues to get big government contracts, by the way.

[utax]

Well thank goodness i will receive Free Credit Monitoring for a year!! And i feel great knowing that if there is a class action lawsuit over this some attorneys will make $$Millions.

[utax]

” the security product of a company which obviously knows nothing about basic data security.”

Who would have guessed there would be a problem when their “Chief Security Officer” was a music major? No one could have seen it coming.

[ptsal]

Look at the hurdles that must be cleared to opt-out.

There should be one standardized form (post card) saying do not report my credit history and do not bother me again.

[aMorePerfectUnion]

https://m.youtube.com/watch?v=x8FNVsbnwWE

Free monitoring! :-)

[George from New England]

As Clark Howard says, DO NOT GIVE YOUR SSN to any medical outfit. ANY. Under their medical oath, that cannot deny you treatment.

[George from New England]

There is no such thing as FREE.

Any credit monitoring IS NOTHING MORE than your exposure to another avenue of ID theft.

[George from New England]

“Look at the hurdles that must be cleared to opt-out.”

It’s long overdue for Congress to pass a law restricting SSN for I.R.S. use only.

ONLY. No medical, no credit, no nothing.

[Ken H]

I have a credit freeze in place with the big 3, as well as a couple of other agencies.

Good info here => https://www.bogleheads.org/wiki/Credit_freeze

[glennaro]

Before I came to the obvious conclusions that SSNs are no longer private, I just used a fake one with the following alphabet numbers:
621-31-1920 (6-21-3-11-9-20)

Nobody ever questioned it because they never used it ... they just wanted it.

[wastedyears]

I have epilepsy. And?

[George from New England]

The reality is its is only used for collection actions. Offices will claim “the law requires it” to be submitted. Or “insurance requires it” or “we need it to verify you are who you say you are”. All crap.

[Retvet]

This just proves medical records should not be on line.

[Grampa Dave]

It’s long overdue for Congress to pass a law restricting SSN for I.R.S. use only.

ONLY. No medical, no credit, no nothing.

Out in Pelosi country, decades ago, Jim Eason a somewhat conservative radio talk show host, would go on a rant several times a year warning us about our SSN’s in the wrong hands. He took particular aim at the healthcare industry.

Like many ahead of their time prophets, we made a lot of fun of him.

Then, we find out that minimum wage receptionists in doctor’s offices and hospital admitting offices were peddling SSN’s for their profit.

[unixfox]

It’s long overdue for Congress to pass a law restricting SSN for I.R.S. use only.

That horse left the barn long ago.

[RideForever]

621-31-1920 (6-21-3-11-9-20)
Nobody ever questioned it because they never used it ... they just wanted it.
_____________________________________

From retired computer programmer pov, the first thing I would do is strip all special characters from the string, check the count of digits remaining, and post error if not 10. So you really don’t know whether they used it or not.

[BenLurkin]

I’m sorry to hear that.

[I want the USA back]

Why do they design systems so that this much data can be accessed at one time by one user?

Each individual user must have limited access. Any users with superuser access must be restricted to logging on ON the premises, and with strict logging and real-time monitoring.

It way past time to trash the SSN as it is now. For starters, it has no check digit. Should be longer, contain letters and/or numbers, and be checked every time it’s used for internal consistency. But what would the systems designers know about that?

SSN should not be used as the universal individual citizen identifier, as it is now. It was a retirement account number! Ah, but the politicians in charge at the time knew damn well what they were doing, and knew what it would become. Luckily, they’re all dead now.

[curious7]

See 1974 privacy act law.